According to a press release put out by the U.S. Department of Health and Human Services (HHS), Aetna Life Insurance Company and its affiliated covered entities (collectively Aetna) have settled a Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules violation via resolution. The settlement consists of a corrective action plan and a $1,000,000 penalty paid to HHS’s Office of Civil Rights (OCR).
According to the press release, Aetna is an “American managed health care company that sells traditional and consumer-directed health insurance and related services.” In June 2017, Aetna disclosed its discovery that “two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines.”
Reportedly, just over 5,000 customers were impacted by the breach. The security failure inadvertently leaked their protected health information (PHI), including names, insurance policy numbers, claims payment, procedure service codes, and dates of treatment.
Two months later, Aetna filed another breach report with the OCR explaining that benefit notices were sent to customers in window envelopes. Complaints returned by customers alleged that the phrase “HIV medication” was visible through the envelope window. Aetna disclosed that 11,887 individuals were affected by this HIPAA violation.
In November 2017, Aetna submitted a third breach report to the OCR stating that in September, “a research study mailing sent to Aetna plan members contained the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating, on the envelope.” The health care company reported that its error impacted 1,600 individuals.
The OCR investigated, determining that in addition, Aetna did not perform requisite evaluations of its electronic security systems, did not implement identity verification procedures, and lacked “administrative, technical, and physical safeguards to protect the privacy of PHI.”
OCR Direct Roger Servino commented that “[w]hen individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement.” The action plan requires Aetna to implement new policies and procedures, including training regimes, and report annually on the status of those programs and HIPAA privacy and security rule compliance.