[BreachExchange] Aetna Fined $1 Million After 3 Data Breaches

[Destry Winant]

https://www.bankinfosecurity.com/aetna-fined-1-million-after-3-data-breaches-a-15264

Federal regulators have slapped health insurer Aetna with a $1 million
HIPAA settlement for three 2017 breaches - including a mailing
incident that exposed HIV information - that occurred within six
months.

The incident involving the exposure of nearly 12,000 health plan
members' HIV information previously resulted in $3 million worth of
settlements in 2018 and 2019 with several state attorneys general plus
a $17.2 million class action lawsuit settlement (see: Aetna Fined Yet
Again for Exposing HIV Information).

HIPAA Deficiencies

In a statement Wednesday, the Department of Health and Human Services'
Office for Civil Rights says its investigation into the three
incidents involving impermissible data disclosures revealed a number
of HIPAA deficiencies. Those deficiencies included failing to:

- Perform periodic evaluations of operational changes affecting the
security of electronic protected health information;
- Implement procedures to verify the identity of people or entities
seeking access to ePHI;
- Limit PHI disclosures to the minimum necessary to accomplish the
purpose of the use or disclosure;
- Have in place appropriate administrative, technical and physical
safeguards to protect the privacy of PHI.

"When individuals contract for health insurance, they expect plans to
keep their medical information safe from public exposure.
Unfortunately, Aetna's failure to follow the HIPAA rules resulted in
three breaches in a six-month period, leading to this million dollar
settlement," said OCR Director Roger Severino.

Aetna Statement

In a statement provided to Information Security Media Group, Aetna,
which was acquired in 2018 by CVS Health, says: "Protecting our
members' privacy is a responsibility we take very seriously. We've
entered into a settlement agreement with the OCR related to incidents
that occurred in 2017, during which personal health information was
inadvertently exposed.

"These incidents occurred prior to Aetna becoming part of CVS Health
and did not involve any of the company's other businesses. We have
since updated our processes and procedures to further protect member
information and are working cooperatively with OCR to further enhance
our policies related to privacy and security."

3 Breaches

OCR says that Aetna submitted a breach report stating that on April
27, 2017, it discovered that two web services used to display
documents to health plan members allowed documents to be accessible
without login credentials and subsequently indexed by vinternet search
engines. The insurer reported that about 5,000 individuals were
affected by this breach.

In a second breach report filed in August 2017, the insurer said
benefit notices were mailed to members using window envelopes. Shortly
after the mailing, Aetna received complaints from members that the
words "HIV medication" could be seen through the envelope's window
below the member's name and address, OCR notes. Aetna reported that
almost 12,000 individuals were affected by this incident.

In the third breach reported in November 2017, a research study
mailing sent to Aetna plan members contained on the envelope the name
and logo of the atrial fibrillation research study in which they were
participating. Aetna reported that 1,600 individuals were affected
(see Aetna Hit with More Penalties for Two Breaches).

'Root Causes'

The investigation into the root causes of the breaches reported by
Aetna highlights the need for effective information assurance programs
safeguarding PHI in all forms and formats, says privacy attorney David
Holtzman of consulting firm HITprivacy LLC.

"Organizations with successful programs employ a risk-based approach
that identifies where sensitive consumer information is created and
stored, looks at how access to data is managed and monitored as well
as ensures a comprehensive plan for physical and technical controls to
protect data," he says.

"Healthcare organizations that mitigate vulnerabilities identified
through a risk-based approach to safeguarding data are continually
evaluating the adequacy of their approach against new and evolving
threats as well as changes to their business environment or the way
they are creating or using sensitive consumer information."

Corrective Action Plan

The resolution agreement with Aetna includes a corrective action plan
that calls for the insurer to:

- Develop, maintain and revise its HIPAA policies and procedures;
- Make sure those policies and procedures address performing periodic
evaluations in response to environmental or operational changes
affecting the security of PHI; authenticating those seeking access to
PHI; limiting the disclosure of PHI to what is minimally necessary to
accomplish a given purpose; and applying appropriate administrative,
technical, and physical safeguards to protect the privacy of PHI;
- Distribute those policies and procedures to its workforce and
provide training.

Other Enforcement Actions

The settlement with Aetna follows a string of a dozen other recent
HIPAA enforcement actions by OCR in recent months.

Those include a series of cases involving patients' right to access
their records and three multimillion-dollar settlements following
breaches involving hacking incidents (see HHS Issues Another Right of
Access Settlement).

The largest of the recent actions was a $6.8 million settlement with
Premera Blue Cross after a 2014 breach that exposed information on
10.4 million individuals.