Aetna Maintains Efforts to Recoup 2017 HIV Status Privacy Breach Costs

by | Jun 8, 2018

Aetna have launched fresh attempts to recover some of the expenses they incurred in the ongoing legal battles in relation to a 2017 privacy breach involving the exposure of patients’ sensitive health information.

A new lawsuit has been submitted by the insurance company in a bid to recover the costs they suffered due to the data violation.

In 2017, Aetna suffered experienced a data breach that involved highly sensitive patient information impermissibly being shared with other people. A third party mailing vendor sent letters to patients using envelopes with clear plastic windows and details about HIV medications were allegedly visible. The mailings were advising patients of HIV medications used to treat patients who had already contracted HIV and people who were taking drugs as pre-exposure prophylaxis. Around 12,000 patients were issued the mailing.

Lawsuits were submitted on behalf of patients whose HIV positive status was impermissibly shareed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for an additional $1.15 million to resolve the privacy breaches.

After those settlements, Aetna tried to recover the cost of the settlements from Kurtzman Carson Consultants, the administrator who, it is claimed. directed the mailing vendor to issue the letters to patients that shared their PHI. Aetna maintains that Kurtzman Carson Consultants did not advise Aetna that the mailing was being sent using windowed envelopes. The lawsuit is still going on.

Now a lawsuit has been submitted by Aetna against the law firm Whatley Kallas and the Californian advocacy group Consumer Watchdog in an effort to recoup at least a portion of the $20 million in settlements already paid. Consumer Watchdog and Whatley Kallas represented patients in a earlier case that led to the sharing of the notification letters that exposed patients’ sensitive data.

The privacy breach that led to the $20 million settlement came about in response to a previous privacy incident that Aetna was subjected to legal action in relation to. That initial privacy breach related to a necessity for patients who had been prescribed HIV medication to receive the drugs through the mail rather than picking them them up in person. Since the drugs need to be kept refrigerated, and are mailed in refrigerated containers, it was claimed that this would breach patients’ privacy as it would be obvious to neighbors and co-workers that HIV drugs were being sent.

The most recent lawsuit claims the plaintiffs were to blame for requiring Aetna to issue sensitive information to the Kurtzman Carson Consultants, which Aetna was against and that after that data was passed to Kurtzman Carson Consultants, the plaintiffs did not ensure the confidential information was safeguarded.

Whatley Kallas had advised using Kurtzman Carson Consultants and Consumer Watchdog were involved to make sure Aetna stayed true on its promise to change the requirements for patients to have the drugs issued by mail.

Harvey Rosenfield and Jerry Flanagan of Consumer Watchdog outlineded to Reuters, that they “edited the text of the letter to make sure we held Aetna’s feet to the fire,” but did not receive any protected health information and were not aware that windowed envelopes were being used and maintain Aetna is making “frivolous claims.”

“If Aetna believes that an attack on lawyers for Consumer Watchdog and Whatley Kallas LLP will be a cost-free exercise in retaliation, it is deeply mistaken,” said Rosenfield and Flanagan in a correspondence to the insurer, ending “Aetna would be well advised to focus on remediation of its privacy practices on a nationwide basis as we are seeking in this action, instead of pursuing abusive and retaliatory tactics that seek to evade liability for its own failings and suggest that Aetna still does not take responsibility for ensuring that its customers’ private medical information is protected.”

While this may seem to be a case of passing the buck at face value, the case is not as flippant as it may appear. According to Aetna, the law firm advising and representing the plaintiffs in the original case were allegedly party to a proposal that outlined windowed envelopes were going to be used, but the law firm failed to issue a warning.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy