Aetna settled a lawsuit for $17 million Wednesday over a data breach that happened in the summer of 2017. The privacy of as many as 12,000 people insured by Aetna was compromised in a very low-tech way: The fact that they had been taking HIV drugs was revealed through the clear window of the envelope.
"I was shocked," said Sam, who distinctly recalls the day he received the notice in August. (Kaiser Health News and NPR agreed not to use his full name because he worries about how going public with his HIV status might affect his work.) The letter came to his mailbox in an apartment complex in New Jersey. He wasn't directly involved in the lawsuit but says the letter hit a level of vulnerability he had never felt before.
"I haven't disclosed my HIV status to my parents," said Sam, 36, who is a civil rights attorney. "Let's say that letter had gotten forwarded to their house and someone happened to open the mail. Those were the types of things going through my mind."
In a statement, Aetna wrote: "Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident."
The insurer also said it is "implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information."
In an ironic twist, the letters were sent in response to a settlement over previous privacy violation concerns. Aetna had required members to obtain HIV medications through mail-order pharmacies. The affected people had taken medication to treat HIV or to lower the risk of becoming infected with the virus, an approach called PrEP, or pre-exposure prophylaxis.
Lawsuits filed in 2014 and 2015 alleged that policy was discriminatory, that it prevented patients taking HIV medicine from receiving in-person counseling from a pharmacist and that it jeopardized members' privacy.
Aetna settled with the individual plaintiffs, changed its policy to allow members to fill HIV prescriptions in person at retail pharmacies, and, in turn, sent out notification letters to anyone who had filled prescriptions for HIV medications.
It was those notification letters that contained a large envelope window that exposed sensitive HIV information.
While the stigma surrounding HIV may be less severe than it used to be and treatments have improved greatly, Ronda Goldfein, director of the AIDS Law Project of Pennsylvania, said the reality is that serious discrimination still exists. That means protecting patient confidentiality is critical to ensuring people feel safe getting care.
As hundreds of calls from people who received the Aetna letter started coming into Goldfein's office and others around the country, she learned of more harrowing and devastating experiences. She said she heard from one man who had homophobic slurs painted on his door when neighbors saw the letter. Other letter recipients felt the need to move out of their neighborhoods. For one woman, whose status became known in her tight-knit immigrant community, "she stopped being able to function, she stopped being able to go to work, and she lost her job," Goldfein said.
The AIDS Law Project of Pennsylvania and the Legal Action Center initially issued a demand letter in late August that the insurer stop the mailings. The company responded, setting up a relief fund for affected people and apologizing. "This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again," the health insurer said.
Goldfein and others soon discovered that the mailing was more widespread than first thought: Up to 12,000 people had received it. Her agency, the Legal Action Center and Berger & Montague PC filed a lawsuit and sought class-action status.
The privacy breach as outlined in the proposed settlement was twofold: Aetna released the names of 13,480 people to its legal counsel and a vendor without proper authorization. Of those, 11,875 got the letter that revealed they were taking HIV medication.
The proposed settlement is awaiting approval in federal court, but in it Aetna has agreed to pay $17 million and set up new "best practices" to prevent something like this from happening again.
As part of the payout, the law firms are setting aside at least $12 million for payments of at least $500 to the estimated 11,875 people who may have received a letter exposing that information, acknowledging that "the harm was in the status being disclosed," Goldfein said. Plus, people won't have to file additional paperwork and go through more mailings pertaining to their HIV medications.
A fund will be set up for those who experienced additional financial or emotional distress. Individuals will be able to claim up to $20,000. The rest of the money will go toward legal fees and costs.
"It's a much bigger settlement than ordinary identity theft scenarios, where an online database has been breached and the main injury people are claiming is that they might be victims of identity theft and maybe have their financial information compromised," said William McGeveran, a specialist in privacy law and data breaches at the University of Minnesota.
The amount may be unusual, but McGeveran also said low-level breaches like this aren't. Companies may be so focused on IT security that they overlook other ways that privacy can be breached.
"They're more common than people realize," McGeveran said. "There's so much attention to cybersecurity, and rightly so, but a lot of medical privacy concerns are much more analog than that. They're about things being overheard, they're about paper records and in this case it's about a paper mailing."
Beyond the payout itself, she hopes the suit helps change the culture of companies when it comes to the attention paid to medical privacy, and the rights of people with HIV in particular. To highlight that, lawyers used "Andrew Beckett" as the pseudonym for the original plaintiff in the case, a Pennsylvania man from Bucks County.
It's a nod to the Tom Hanks character in the 1993 film "Philadelphia," who was fired after his law firm found out he had HIV. This "Beckett" is taking PrEP.
"HIV still has a negative stigma associated with it, and I am pleased that this encouraging agreement with Aetna shows that HIV-related information warrants special care," the man known as Beckett said in statement.
KFF Health News © 2018
Cite this: Kaiser: Aetna Agrees to $17M Payout in HIV Privacy Breach - Medscape - Jan 22, 2018.