Last week, several news outlets reported a HIPAA breach, disclosing protected health information of up to 12,000 individuals. Aetna, a Fortune 100 managed healthcare company that sells health insurance plans, sent written correspondence to 12,000 of its members regarding health plan options for filling prescriptions.
There was a large transparent window on the front of the envelopes. The windows revealed information from the letters inside, including patient names and addresses and information about HIV prescription medications. Essentially, Aetna inadvertently disclosed the HIV statuses of many of its customers.
On August 24, 2017, attorneys from the AIDS Law Project and the Legal Action Center of Pennsylvania issued a cease and desist letter to Aetna. The letter demanded that Aetna stop breaching privacy laws by sending mail disclosing HIV status. According to these groups, individuals reported that neighbors and family members learned their confidential health information from the Aetna correspondence. The groups additionally reported that some of the affected individuals had already filed complaints with the Office of Civil Rights of Health and Human Services.
Aetna issued an apology statement last week, calling the mistake “unacceptable” and advising that it would be reviewing its processes to prevent future breaches.