American managed health care company Aetna is in hot water for accidentally exposing the HIV statuses of 12,000 of its patients.
The breach occurred on 28 July 2017 when the company dispatched letters to some of its customers informing them of changes to their received healthcare services. As it turns out, the contents of those letters were in some cases readable from within their sealed envelopes.
Aetna explains itself in a breach notification letter sent out to affected customers:
“We then confirmed that the vendor handling the mailing had used a window envelope, and, in some cases, the letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window. On August 2, 2017, we determined this incident may have caused a breach of your protected health information.”
According to the managed health care company, the letters didn’t contain customers’ Social Security Numbers, bank account information, credit card information, medication names, or medical diagnoses. But they certainly made reference to HIV medication. Just look for yourself.
Needless to say, the intended recipient of this letter might want to keep this information private from family members, neighbors, or anyone else who picks up the mail for them.
Aetna says it intends to institute additional safeguards to prevent incidents such as this (and other HIV-related privacy fiascos) from happening again. But that’s small comfort for the victims affected by the breach. Which is why some have filed complaints with numerous organizations in their home states of Arizona, California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania, and Washington, D.C.
Sally Friedman, Legal Director of the Legal Action Center, says her organization has received complaints. From what she’s heard, she’s not impressed with Aetna’s slip-up. As she wrote in a statement:
“Aetna’s privacy violation devastated people whose neighbors and family learned their intimate health information. They also were shocked that their health insurer would utterly disregard their privacy rights.”
Lambda Legal, another organization contacted by affected individuals, is also not happy.
This is a serious violation of privacy for people living with #HIV (and folks taking #PrEP). Shame on you, @aetna.https://t.co/ORUfewiUv2
— Lambda Legal (@LambdaLegal) August 24, 2017
In response, Legal Action Center and the AIDS Law Project of Pennsylvania together sent a letter to Aetna explaining the harm its caused its customers and demanding a more detailed response. As they write in their correspondence:
“We demand that Aetna immediately cease and desist from sending any mail that reveals beneficiaries’ medications or other protected health information to anyone other than the individual who opens the envelope. We also are seeking verification of the corrective measures that Aetna has taken to ensure that Aetna never engages in this type of privacy breach again.”
Let’s hope the managed health care company complies… and decides to have a talk with its vendors before it does another mailing in the future.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.