Aetna settled a lawsuit for $17 million Wednesday over a data breach that happened in the summer of 2017. The privacy of as many as 12,000 people insured by Aetna was compromised in a very low-tech way: the fact that they had been taking HIV drugs was revealed through the clear window of the envelope.
Lawsuits filed in 2014 and 2015 alleged that policy was discriminatory, that it prevented patients taking HIV medicine from receiving in-person counseling from a pharmacist and that it jeopardized members’ privacy.
Aetna settled with the individual plaintiffs, changed its policy to allow members to fill HIV prescriptions in person at retail pharmacies, and, in turn, sent out notification letters to anyone who had filled prescriptions for HIV medications.
It was those letters that contained a large envelope window that exposed that sensitive HIV information.
The privacy breach as outlined in the proposed settlement was twofold: Aetna released the names of 13,480 people to its legal counsel and a vendor without proper authorization. Of those, 11,875 got the letter that revealed they were taking HIV medication.
The proposed settlement is awaiting approval in federal court, but in it Aetna has agreed to pay$17,161,200 and set up new “best practices” to prevent something like this from happening again.