Insurance Company is Sued After Disclosing HIV Status of its Policyholders
TechLawLogy™: eDiscovery and Privacy Blog
Typically, when people think of a data breach they visualize hackers, servers, firewalls, and the failure of information technology systems. But a data breach can occur without the involvement of high technology. This was recently exemplified by the medical insurance provider Aetna, which sent a mass mailer as part of a class-action settlement that revealed the HIV status of the recipients. Aetna is now facing a series of lawsuits, including a class action lawsuit, for various claims, including that Aetna violated federal and state privacy laws, and breached a prior settlement agreement.
Aetna violated state and federal privacy laws by sending a mailer that exposed the HIV status of recipients.
The cause of Aetna’s information leak was about as low-tech as it gets. Aetna previously faced two separate lawsuits because it required policyholders to receive HIV medication through the mail rather than picking it up at a pharmacy. The plaintiffs in those cases argued that sending the medication through the mail risked exposing their HIV status to third-parties. As part of the settlement for those suits, Aetna agreed to send out around 12,000 letters to inform policyholders that they could now pickup their HIV medications directly from pharmacies. Ironically, it is this very mailer that is at issue in the present string of lawsuits against Aetna. In sending these letters, Aetna used envelopes with a large window that exposed a portion of the letter’s text indicating that it concerned the recipient’s HIV medications. Any person handling the mail, whether it be a landlord, roommate, fellow employee, friend, or family member, had access to this information.
Aetna has been silent regarding how this privacy breach might have occurred. The plaintiffs in these cases believe that Aetna may have used these particular envelopes to save money and hide the fact that the letters were being sent pursuant to a settlement agreement. Unfortunately for Aetna, this decision will end up costing them far more than the price of using different envelopes. Nearly every state has laws that protect against the disclosure of a person’s HIV/AIDS status. The federal Health Insurance Portability and Accountability Act, commonly known as HIPAA, also protects against such disclosures. By using these envelopes, Aetna appears to have violated HIPAA, state privacy laws, and breached the terms of the previous settlement agreement requiring the company’s compliance with state and federal laws.
Ensuring that your company has policies in place requiring the review of decisions related to confidential medical information can help your company avoid liabilities.
The current lawsuits against Aetna highlight the importance of protecting the confidential medical information of customers. For companies handling such information, data privacy should be at the forefront of decision making, whether those decisions involve how to safely store the information electronically or even what type of envelopes to use for a mailer. Privacy issues–like those currently plaguing Aetna–can be avoided by insuring that your company has safeguards in place to prevent a data breach from occurring. This may include establishing a system of checks and balances or incorporating a lawyer into the process who can review any decisions for compliance with state and federal privacy laws. While such practices may lead to higher operational costs, this is far outweighed by the benefits of avoiding liabilities that would arise from the disclosure of confidential medical information.
If your company handles confidential medical information and has experienced a data breach, or you have questions about health care privacy laws, please Contact Us.