Aetna has begun a legal action to claim compensation from an administrative support firm in relation to a July 2017 data violation in which details of HIV medications visible through transparent plastic windows of envelopes in a mail shot. Letters inserted in some of the envelopes had moved, meaning that the wording “when filling prescriptions for HIV medications” could be seen by anyone who held the envelopes.
The privacy violation was criticized by the Legal Action Center and AIDS Law Project of Pennsylvania, who in tandem with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking compensation for those affected by breach. Last January, Aetna settled the legal action for $17.16 million. Last month, Aetna also settled breaches of HIPAA and state legistlation for $1.15 million with the New York attorney general over the same HIPAA violation.
The class action was just one of seven filed against the health insurance provider, and further financial sanctions from state attorneys general are likely. Several other attorneys general have opened inquiries into the breach and may also determine that state legislation have been violated.
The legal costs associated with the privacy breach are escalating and Aetna does not feel it should have to cover costs arising from the (alleged) negligence of a third-party. The health insurance provider is seeking at least $20 million in compensation from the administrative support firm – Kurtzman Carson Consultants (KCC) – whose mistake lead to in the privacy breach.
In the legal action, Aetna argues the firm’s mistakes and omissions amounted to gross negligence and that KCC should have been conscious that HIV medication information was detailed under the names and addresses of its plan subscribers. Aetna argues that no reviews were carried out to determine how much information was visible through the transparent windows of the envelopes. Aetna also argues KCC did not interact with Aetna to tell them that the envelopes with clear plastic windows were being used for the correspondence, and that Aetna’s lawyers were not spoken with to provide their approval of the mailing.
Aetna did try to resolve their issues directly with KCC and pursued indemnification; however, the talks were not successful leading Aetna to begin legal action.
Aetna is looking for a ‘hold harmless’ ruling which will see the Aetna safeguarded from all liability, damages, payments and claims with regard to the mailing. With the result of other lawsuits forthcoming, further investigations being carried out by state attorneys general, and a possible HIPAA breach penalty from the Department of Health and Human Services’ office for Civil Rights (OCR), the final cost of the mailing mistake could be well in excess of $20 million.
Along with seeking compensation, Aetna is also attempting to get KCC to return or destroy all confidential data provided to permit the firm to complete mailing.
KCC refutes the claims and its general counsel, Drake Foster, referred to Aetna’s claims are ‘demonstrably false.’