California Attorney General Xavier Becerra recently announced that a $935,000 settlement has been reached with Aetna, an insurance company that was accused of violating the privacy of 12,000 people nationwide, including 1,991 Californians, by inadvertently revealing their HIV status.
According to the AG's news release, the problem began when Connecticut-based Aetna mailed letters on July 28, 2017. The letters revealed through an enlarged window on the envelope that the recipients were taking HIV medication.
According to Becerra, Aetna violated state law, including the Confidentiality of Medical Information Act, Health and Safety Code, section 120980.
"A person's HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire health care industry," Becerra said in a January 30 statement. "Aetna violated the public's trust by revealing patients' private and personal medical information. We will continue to hold these companies accountable to prevent such a gross privacy violation from reoccurring."
In an email to the Bay Area Reporter, Becerra said that the settlement includes injunctive terms to prevent additional violations.
"Aetna is required to implement and maintain specific mailing procedures that preserve the confidentiality of medical information, designate an employee responsible for implementation and maintenance of the mailing program, compliance with federal and state privacy laws, and management of external vendors handling medical information," the email stated. "The company is also required to complete an annual privacy risk assessment evaluating compliance with terms of the settlement for three years."
Becerra's email further stated that the monetary provisions of the settlement would be used to continue enforcement of California consumer protection and privacy laws and for the cost of investigation and litigation.
The victims have additionally received over $17 million in compensation through a private class action lawsuit.
"Aetna quickly acknowledged that they had made an error and that the error was a violation of these people's privacy," said Scott Schoettes, HIV Project Director for Lambda Legal Defense and Education Fund. "I don't think it took them very long to recognize that they had blown it."
Schoettes added that the privacy breach happened because people at Aetna weren't paying attention to what they were doing.
"They weren't ensuring that the labor they were working with recognized the sensitivity of the information they were providing, that it was subject to these protections, and that they needed to make sure the way they were disseminating the information protected that information," he said. "So there was a breakdown between the insurer and the vendor that sent out the notice for them. I think they sometimes don't recognize how important it is to protect confidentiality of information. The law is there to remind them."
Schoettes noted that California was not the only state where attorneys general got involved.
"The AG offices in a number of states stepped forward to enforce the laws in their state when they recognized what was going on," he said, "I think it's a good thing that the AG offices did that."
Schoettes is hopeful that the settlement will encourage not only Aetna, but other companies as well, to be more mindful about revealing confidential information.
"We need to continue to enforce the laws," he said.
The California settlement is subject to court approval.
An Aetna spokesman wrote in an emailed response to a request for comment that the company "through our outreach efforts, immediate relief program, and settlements over the past year" has "worked to address the potential impact to members following this unfortunate incident."
"In addition, we have implemented measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information," spokesman Ethan Slavin wrote.