WASHINGTON — Thousands of people with HIV received mailed letters from Aetna last month that may have disclosed their HIV status on the envelope.

The letters, which Aetna said were sent to approximately 12,000 people, were meant to relay a change in pharmacy benefits. Text visible through a small window on the envelopes listed the patients’ names and suggested a change in how they would fill the prescription for their treatment for the virus.

“People have been devastated. We’ve had a number of people tell us they had chosen not to disclose their HIV status to family members — but this is how their family members found out,” said Sally Friedman, legal director at Legal Action Center, which is pushing Aetna to correct the mistake and which highlighted the violation Thursday.


“People with any private health conditions can just imagine, whether you’re being treated for cancer or a behavioral condition, just imagine having that flat out on the front of an envelope for anyone to see. It should be a grave concern to everyone,” she added.

Aetna is in the process of notifying both state and federal authorities about the breach, a company spokesman said. The mailing was sent July 28.


“We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members,” the spokesman said. “This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again.”

Legal Action Center, working with the AIDS Law Project of Pennsylvania, called on Aetna to cease and desist the mailings and to remedy the mistake. Those organizations and other privacy and AIDS advocacy groups had heard from individuals in eight states and the District of Columbia.

In their letter, the groups said the breach caused “incalculable harm” and suggested several of the affected individuals had already filed complaints with the Health and Human Services Office for Civil Rights or other state authorities.

In a letter Aetna mailed to affected individuals, obtained by STAT, the company suggested the personal information was only visible “in some cases.”

“The letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window,” the Aetna notification letter reads. Aetna’s notification letter also emphasizes that “the viewable information did not include the name of any particular medication or any statement that you have been diagnosed with a specific condition.”

Friedman said in every letter the privacy advocates had seen, the information was very visible.

She added that while Legal Action Center has handled numerous cases of privacy violations from health care providers, she could not recall any case involving an insurer.

Plans across the country suffer privacy breaches, as do providers. A 2009 law requires companies that are covered by federal health privacy laws, like plans, providers, and their vendors, to report data breaches that affect more than 500 individuals. That database showed some 30 such breaches in July alone, though the tool does not detail the kind of information that was disclosed. Some breaches involve Social Security numbers or service codes, for example.

Health care companies often settle health privacy law violation cases with HHS and in some cases pay millions in fines. In May, for example, after an employee at St. Luke’s-Roosevelt Hospital Center Inc. inadvertently disclosed a patient’s HIV status and other medical information to his employer, the provider paid a $378,000 settlement.

An earlier version of this story said the HIV status of 12,000 people had been disclosed. Aetna said the mailings went to approximately 12,000 people but that it was unclear how many of the envelope windows would have shown personal health information.

  • People should be legally REQUIRED to inform others of an HIV infection! To not do so is denying them the right to take steps to not be infected with it! People with infectious lung disease or infectious leprosy are not allowed to just walk around silently spreading it.

    • If you sleep with someone you are required to notify them …
      but anyone with any sense should assume their sex buddy could be positive with hiv, herpies, hep c, clamydia, Gono etc.. and take appropriate precautions.
      For someone to get an std one has to be a little bit stupid.. it means they were sloppy in taking precautions.
      Getting pregnant.. in today’s numerous ways to not be? You have to be stupid .. getting drunk and sloppy no excuse.

  • Are insurance providers subject to HIPPA laws? Would this be a violation if so? Should someone be contacting all recipients regarding this breach of their medical information? This could have been seen by their mail carrier. It’s obvious from the picture the information was visible from the outside of the envelope and every complaint was substantiated. This is a clear negligible violation in this mailing. It would have been a problem no matter what medical information it had been carrying to customers. I feel like every person who received this mailing was violated, should be notified and is entitled to some type damages. Your medical information is private. It is only for you to reveal and there are laws in place to protect that privacy. If someone violates that privacy you have to have some recourse for that whether it causes you an issue or not. They simply can’t do it. If no one holds people accountable when they do, these laws will start to be taken lightly and ignored and things like this situation will happen and eventually become the norm if people accept this company’s excuses and brushing off of this serious incident.

  • How deceptive not telling family members that you have a deadly illness that they can catch from you. I font want my lover who is a family member to know. How despicable. THIS IS UNEXCEPRSBLE!!!!!!!!

    • Most people don’t have sex with their family members. Their spouse, probably, which they are required by law to tell sexual partners. Grandparents, aunts, uncles, siblings, children…they don’t have a right to know.

  • They all should be on a public registry! It’s their ability to hide it that spreads it. It shouldn’t be treated as a private illness, it a DEADLY DISEASE! Stop pandering to people’s feelings, it only makes us weaker! Most of you a$$hats want to ban guns because they “kill”, why don’t we ban what actually does kill, PEOPLE!

  • What kind of selfish, sick individual doesn’t tell their family that they are infected with a highly communicable, incurable disease that has a significant fatality rate?!? This quote makes me ill: “We’ve had a number of people tell us they had chosen not to disclose their HIV status to family members…”

    • Family members could include grandparents…stop assuming they’re talking about their spouse. People have a right to privacy. You’re only required to disclose HIV if you’re having sex with a person, giving blood, or at a hospital. All others that aren’t impacted by that disease don’t have a right to know.

  • Whats the guilt and shame for did u do something u shouldn’t have people have long accepted Hiv and have been nothing but supportive of the disease So it sounds like a real Personal Problem get over it disease is a part of life move on be Happy and shut the hell up Human error is also a part of life duhhhhh

Comments are closed.

Sign up to receive a free weekly opinions recap from our community of experts.
Privacy Policy