Aetna has agreed to pay $17 million as part of a settlement agreement for a breach that might have compromised thousands of HIV patients’ privacy.
On 16 January, the United States District Court for the Eastern District Court of Pennsylvania received a proposed settlement agreement (PDF). The arrangement stipulates that Aetna, Inc., Aetna Life Insurance Company, and Aetna Specialty Pharmacy, LLC will pay $17,161,200 to resolve the privacy breach claims of customers from 23 states. They will use those funds to send at least $500 to anyone affected by the incident as well as $75 to approximately 1,600 additional customers whose health information Aetna’s legal counsel and mail vendor might have accessed in some way.
The disclosure occurred on 28 July 2017 when the American managed health care company sent out letters to 12,000 of its customers who had filled prescriptions for HIV. Aetna conduct the mailing using a vendor, a third party which sent each patient a notice inside a window envelope. The type of envelope chosen by the vendor sometimes allowed the recipient’s personal health information (PHI), including their HIV diagnosis, to shift into view, thereby compromising their privacy.
As reported by NPR, the AIDS Law Project of Pennsylvania and the Legal Action Center issued a demand letter in late August demanding that Aetna stop the mailing. The health care company responded by setting up a relief program for affected patients in October. But upon learning of the scale of the mailing and its effect on patients’ privacy, the two organizations along with Berger & Montague PC filed a class-action lawsuit.
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/latest-security-news/aetna-accepts-17m-settlement-agreement-for-hiv-privacy-breach/