Aetna, a Connecticut-based health insurer, has agreed to pay the California Attorney General $935,000 to resolve a 2017 privacy breach that exposed state residents’ HIV status. California HIPAA violations have been increasingly prosecuted on a state-level resulting in Attorney General fines over the past few years, and this is just the most recent example.
The breach occurred on July 28, 2017, when Aetna’s mailing vendor sent letters to members who were receiving HIV medications or using a drug preventing them from contracting HIV. The letters contained detailed instructions for taking their HIV medications. This information regarding HIV medications was clearly visible through the window of the envelope, constituting a violation of patients’ privacy under HIPAA. This highly sensitive information was potentially exposed to postal workers, friends, family members, and roommates. Among the 12,000 members who received the letter, 1,991 of them resided in California.
This echoes back to another HIPAA fine involving St. Luke’s Hospital in NYC where patients’ HIV status was illegally disclosed due to a mailing error. The hospital settled with OCR for a $387,000 HIPAA fine in May of 2017. Though this California Aetna breach has not yet resulted in a HIPAA settlement, the California Attorney General fine more than doubles that of the OCR HIPAA fine levied against St. Luke’s.
HIPAA was enacted in 1996 to establish national standards that all healthcare organizations must implement to protect the privacy and security of patients’ protected health information (PHI). PHI is any information that can be used to identify a patient such as names, addresses, phone numbers, and Social Security numbers, among many others.
The HIPAA Rules evolved as a foundation for healthcare organizations to follow to protect patients’ PHI. The Privacy Rule sets national standards for the privacy and accessibility of PHI. The Rule requires appropriate safeguards to ensure that PHI is kept private. It also creates guidelines for patients’ rights to access their medical records. Aetna neglected to properly implement appropriate privacy safeguards in this instance and breached their members’ sensitive information.
According to California Attorney General Xavier Becerra, the privacy breach not only violates the HIPAA Rules, but also violates several California laws: the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code, and the State Constitution.
In addition to paying the fine, Aetna is required to designate an employee who will oversee the mailing program, implement effective compliance standards with federal and state laws, and supervise relationships with external vendors to ensure that they handle medical data in compliance with state and federal laws and Aetna’s policies and procedures. Aetna will also need to complete an annual privacy risk assessment to demonstrate compliance with the terms of the settlement for the next three years.
California Attorney General Becerra spoke out regarding the California HIPAA incident, “A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry. Aetna violated the public’s trust by revealing patients’ private and personal medical information.”
California has emerged as one of the leaders in the US regarding protections and prosecutions for violations of patients’ rights to privacy and data security.
Including this California HIPAA settlement, Aetna has settled at least four cases over the past couple of years against privacy breaches. In January 2018, Aetna settled two separate cases, one involved a class action lawsuit filed on behalf of victims of a breach for $17,161,200. The other involved paying the New York Attorney General $1,150,000 to settle its case and resolve the HIPAA violations and breaches of state laws.
Additionally, $640,170.59 was paid to settle a multi-state action by Attorneys General in New Jersey, Connecticut, Washington, and the District of Columbia. The grand total of financial penalties issued to Aetna relating to these breaches is $2,725,170.59.