Last week, Aetna agreed to resolve class action claims of privacy violations related to the disclosure of thousands of members’ HIV status. The agreement will require the insurance giant to pay over $17 million into a settlement fund, the majority of which will be distributed to members of the affected class and to develop and implement a “best practices” policy for the use of members’ protected health information (PHI), to bring an end to a class-action lawsuit filed in August 2016 by pseudonymous plaintiff Andrew Beckett (a nod to Tom Hanks’ lead character in 1993’s Philadelphia), which alleged two distinct disclosures of member PHI in one of the largest data breaches involving HIV-related privacy.
The first alleged violation was that Aetna improperly disclosed members’ HIV status to legal counsel, a settlement administrator and a mailing vendor in connection with lawsuits from 2014 and 2015; the second was that Aetna exposed members’ HIV-related information, including their medications, by mailing notification letters to members in envelopes with large, clear windows that exposed the underlying information to anyone who came into contact with the letters. Ironically, both disclosures stemmed from earlier litigation and a settlement involving claims that Aetna engaged in a discriminatory policy by requiring members to obtain HIV-related medications through mail-order pharmacies, which affected members claimed denied them the right to obtain in-person advice from a pharmacist and created a heightened risk of exposing their HIV status.
Under the terms of last week’s settlement, Aetna will pay $500 to each of the approximately 11,875 class members who were mailed the letter that exposed their HIV status and $75 each to an additional 1,600 individuals whose health information was exposed to Aetna legal counsel and the mailing vendor. In addition, class members may be eligible to receive up to an additional $20,000, allocated between separate caps of $10,000 each for financial and nonfinancial harm, upon the submission of documentation evidencing out-of-pocket expenses related to the disclosure of their HIV status and the completion of a questionnaire asking affected members to detail the emotional and psychological harm they have suffered as a result. The settlement also allows additional allocations for attorneys’ fees and distribution of the remainder to certain cy pres recipients through an RFP process intended to assist legal nonprofits working on HIV-related privacy issues.
The settlement agreement also offers some practical advice for entities covered under the Health Insurance Portability and Accountability Act (HIPAA) as well as businesses in other industries, and underscores the point that information security must extend beyond technological controls to implementing thorough and careful processes for mailings and other paper documents containing PHI. For example, the best-practices policy that Aetna agreed to implement as part of the settlement serves as a reminder to covered entities to execute business associate agreements with any and all partners, vendors and service providers, including any retained litigation counsel, who may create, receive, maintain or transmit PHI in connection with the services they render to or on behalf of the covered entity. Further, the policy reiterates the importance of implementing standards and practices, such as de-identification and the “minimum necessary” principle, that limit the disclosure of PHI whenever possible and to proactively address the destruction or return of information following the completion of services.
Separate and apart from the best-practices policy, the settlement agreement also contains a list of protections designed to prevent the inadvertent disclosure of sensitive information through the mail, which, as it turns out, has been the cause of more than one Aetna privacy breach.Clearly aimed at avoiding the mistakes that led to the underlying litigation, the agreement requires the appointed settlement administrator to take the following measures when mailing the settlement notices to the affected class:
- Use an opaque envelope of appropriate and sufficient stock and with no transparent window so as to obscure the contents.
- Use a return address on the outside of the envelope with no identifying information other than a P.O. box, city, state and ZIP Code;
- Include a statement on the front of the envelope stating that it contains “Confidential Legal Information – To Be Opened Only By The Addressee”;
- Use a protective cover page that folds around the Notice of Class Action Settlement and that identifies that the information being provided therein is confidential and solely for reading by the Settlement Class Member; and
- Use paper stock that will protect the confidentiality of the contents of the envelope from being read through the envelope.
These suggestions for additional security protections may also be useful in helping to further refine the way that organizations, particularly HIPAA covered entities, approach informational risk where sensitive personal information is concerned. In addition to these steps, covered entities should also review their agreements with third-party print and mailing vendors to ensure they require the vendors to implement HIPAA-compliant security protections, and provide the covered entity with an audit right to review the vendor’s mailing process. As Aetna’s example shows, the failure to ensure these safeguards are utilized by third-party vendors who handle sensitive information can lead to significant costs in litigation and regulatory action. In addition to the class action settlement, Aetna will also be required to pay a $1.15 million civil penalty to settle claims brought by the New York Attorney General in response to the breach. Those claims followed an investigation by the New York Attorney General which revealed another mail-related privacy breach in September, where certain Aetna members received mailings regarding a research study for individuals with atrial fibrillation (AFiB), an irregular heartbeat condition. Those mailings may have exposed members’ conditions to third parties who saw the envelope bearing the research study’s logo, “IMACT-AFIB.” The New York settlement, announced after the class action settlement, also requires Aetna to implement a program of enhanced operating procedures for mailings involving PHI, or other sensitive information, and hire an independent consultant to monitor and report on those procedures.
Concern over data breaches often focuses primarily on financial harms to the affected individuals, but the Aetna settlement serves an important reminder that certain non-financial harms can be even more detrimental to those affected. Members of the Aetna class reported damaged relationships with family or friends, ostracization from their community, and even attacks against their personal property. HIPAA covered entities should begin, if they have not already done so, to formalize these heightened considerations for sensitive data into their overall information governance strategy. Even where information is treated equally under applicable laws or regulations, the effects of exposure can be felt quite differently both in terms of emotional harm to individuals and in the potential costs of investigations, litigation and settlement to the organization.