Oops! Aetna exposed 12,000 customers’ HIV statuses through envelope window

Communication with your supply chain is everything.

David bisson
David Bisson

Aetna envelope

American managed health care company Aetna is in hot water for accidentally exposing the HIV statuses of 12,000 of its patients.

The breach occurred on 28 July 2017 when the company dispatched letters to some of its customers informing them of changes to their received healthcare services. As it turns out, the contents of those letters were in some cases readable from within their sealed envelopes.

Aetna explains itself in a breach notification letter sent out to affected customers:

Sign up to our free newsletter.
Security news, advice, and tips.

“We then confirmed that the vendor handling the mailing had used a window envelope, and, in some cases, the letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window. On August 2, 2017, we determined this incident may have caused a breach of your protected health information.”

According to the managed health care company, the letters didn’t contain customers’ Social Security Numbers, bank account information, credit card information, medication names, or medical diagnoses. But they certainly made reference to HIV medication. Just look for yourself.

Aetna2jpeg c53be2f89a1739338e3ba1e3f49bcc7b0f4f6c91 s800 c85
A photo provided by the AIDS Law Project of Pennsylvania shows an Aetna mailer in which a reference to HIV medication is partly visible though the envelope window.

Needless to say, the intended recipient of this letter might want to keep this information private from family members, neighbors, or anyone else who picks up the mail for them.

Aetna says it intends to institute additional safeguards to prevent incidents such as this (and other HIV-related privacy fiascos) from happening again. But that’s small comfort for the victims affected by the breach. Which is why some have filed complaints with numerous organizations in their home states of Arizona, California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania, and Washington, D.C.

Sally Friedman, Legal Director of the Legal Action Center, says her organization has received complaints. From what she’s heard, she’s not impressed with Aetna’s slip-up. As she wrote in a statement:

“Aetna’s privacy violation devastated people whose neighbors and family learned their intimate health information. They also were shocked that their health insurer would utterly disregard their privacy rights.”

Lambda Legal, another organization contacted by affected individuals, is also not happy.

In response, Legal Action Center and the AIDS Law Project of Pennsylvania together sent a letter to Aetna explaining the harm its caused its customers and demanding a more detailed response. As they write in their correspondence:

“We demand that Aetna immediately cease and desist from sending any mail that reveals beneficiaries’ medications or other protected health information to anyone other than the individual who opens the envelope. We also are seeking verification of the corrective measures that Aetna has taken to ensure that Aetna never engages in this type of privacy breach again.”

Let’s hope the managed health care company complies… and decides to have a talk with its vendors before it does another mailing in the future.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.