WASHINGTON — Thousands of people with HIV received mailed letters from Aetna last month that may have disclosed their HIV status on the envelope.
The letters, which Aetna said were sent to approximately 12,000 people, were meant to relay a change in pharmacy benefits. Text visible through a small window on the envelopes listed the patients’ names and suggested a change in how they would fill the prescription for their treatment for the virus.
“People have been devastated. We’ve had a number of people tell us they had chosen not to disclose their HIV status to family members — but this is how their family members found out,” said Sally Friedman, legal director at Legal Action Center, which is pushing Aetna to correct the mistake and which highlighted the violation Thursday.
“People with any private health conditions can just imagine, whether you’re being treated for cancer or a behavioral condition, just imagine having that flat out on the front of an envelope for anyone to see. It should be a grave concern to everyone,” she added.
Aetna is in the process of notifying both state and federal authorities about the breach, a company spokesman said. The mailing was sent July 28.
“We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members,” the spokesman said. “This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again.”
Legal Action Center, working with the AIDS Law Project of Pennsylvania, called on Aetna to cease and desist the mailings and to remedy the mistake. Those organizations and other privacy and AIDS advocacy groups had heard from individuals in eight states and the District of Columbia.
HIV status of thousands revealed on envelopes mailed by insurer.
(Below as an example from Legal Action Center)https://t.co/Z1Zkle47Rf pic.twitter.com/lT0Ev0z9SH
— joe rojas-burke (@rojasburke) August 24, 2017
In their letter, the groups said the breach caused “incalculable harm” and suggested several of the affected individuals had already filed complaints with the Health and Human Services Office for Civil Rights or other state authorities.
In a letter Aetna mailed to affected individuals, obtained by STAT, the company suggested the personal information was only visible “in some cases.”
“The letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window,” the Aetna notification letter reads. Aetna’s notification letter also emphasizes that “the viewable information did not include the name of any particular medication or any statement that you have been diagnosed with a specific condition.”
Friedman said in every letter the privacy advocates had seen, the information was very visible.
She added that while Legal Action Center has handled numerous cases of privacy violations from health care providers, she could not recall any case involving an insurer.
Plans across the country suffer privacy breaches, as do providers. A 2009 law requires companies that are covered by federal health privacy laws, like plans, providers, and their vendors, to report data breaches that affect more than 500 individuals. That database showed some 30 such breaches in July alone, though the tool does not detail the kind of information that was disclosed. Some breaches involve Social Security numbers or service codes, for example.
Health care companies often settle health privacy law violation cases with HHS and in some cases pay millions in fines. In May, for example, after an employee at St. Luke’s-Roosevelt Hospital Center Inc. inadvertently disclosed a patient’s HIV status and other medical information to his employer, the provider paid a $378,000 settlement.
An earlier version of this story said the HIV status of 12,000 people had been disclosed. Aetna said the mailings went to approximately 12,000 people but that it was unclear how many of the envelope windows would have shown personal health information.