[BreachExchange] Aetna Reaches Settlement with California Over 2017 Privacy Breach

Destry Winant destry at riskbasedsecurity.com
Fri Feb 1 09:12:12 EST 2019 

https://healthitsecurity.com/news/aetna-reaches-settlement-with-california-over-2017-privacy-breach

Aetna will pay California $935,000 for its 2017 privacy breach,
stemming from a mailing error that inadvertently revealed the
HIV-related information of 1,991 Californians and 12,000 total
patients by the envelope’s clear window.

The settlement resolves the allegations that Aetna violated the
state’s privacy laws concerning patient confidentiality. On July, 28,
2017, the insurer’s mailing vendor sent patients instructions for
their HIV medications in an envelope with oversized clear windows. The
contents could be clearly seen from the outside.

Attorney General Xavier Becerra explained that in doing so, Aetna
violated several California state laws including, Confidentiality of
Medical Information Act, Health and Safety Code section 120980, the
State Constitution, and the Unfair Competition Law.

“A person’s HIV status is incredibly sensitive information and
protecting that information must be a top priority for the entire
healthcare industry,” Becerra said in a statement. “Aetna violated the
public’s trust by revealing patients' private and personal medical
information.”

“We will continue to hold these companies accountable to prevent such
a gross privacy violation from reoccurring,” he added.

In addition to the fine, Aetna must implement and maintain mailing
procedures that ensure the confidentiality of medical data, with steps
to guarantee that information isn’t visible through envelope windows.

Further, the insurer must designate an employee to be responsible for
the implementation and maintenance of the mailing program, along with
ensuring compliance with state and federal privacy laws and managing
how external vendors handle medical data in compliance with the
insurer’s policies.

For the next three years, Aetna will also be mandated to complete an
annual privacy risk assessment that will evaluate compliance with the
settlement terms.

In January 2018, Aetna settled with the 12,000 individuals impacted by
the breach for $17 million in the U.S. District Court for the Eastern
District of Pennsylvania. In October 2018, the insurer reached
settlements with Connecticut, Washington, New Jersey, and Washington,
D.C. over the 2017 mailing breach and a second mailing breach of about
1,600 cardiac patients.

More information about the BreachExchange mailing list