HIV Status Data Breach: Aetna Seeking $20 Million Compensation

by | Feb 22, 2018

Aetna has begun a legal action to claim compensation from an administrative support firm in relation to a July 2017 data violation in which details of HIV medications visible through transparent plastic windows of envelopes in a mail shot. Letters inserted in some of the envelopes had moved, meaning that the wording “when filling prescriptions for HIV medications” could be seen by anyone who held the envelopes.

The privacy violation was criticized by the Legal Action Center and AIDS Law Project of Pennsylvania, who in tandem with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking compensation for those affected by breach. Last January, Aetna settled the legal action for $17.16 million. Last month, Aetna also settled breaches of HIPAA and state legistlation for $1.15 million with the New York attorney general over the same HIPAA violation.

The class action was just one of seven filed against the health insurance provider, and further financial sanctions from state attorneys general are likely. Several other attorneys general have opened inquiries into the breach and may also determine that state legislation have been violated.

The legal costs associated with the privacy breach are escalating and Aetna does not feel it should have to cover costs arising from the (alleged) negligence of a third-party. The health insurance provider is seeking at least $20 million in compensation from the administrative support firm – Kurtzman Carson Consultants (KCC) – whose mistake lead to in the privacy breach.

In the legal action, Aetna argues the firm’s mistakes and omissions amounted to gross negligence and that KCC should have been conscious that HIV medication information was detailed under the names and addresses of its plan subscribers. Aetna argues that no reviews were carried out to determine how much information was visible through the transparent windows of the envelopes. Aetna also argues KCC did not interact with Aetna to tell them that the envelopes with clear plastic windows were being used for the correspondence, and that Aetna’s lawyers were not spoken with to provide their approval of the mailing.

Aetna did try to resolve their issues directly with KCC and pursued indemnification; however, the talks were not successful leading Aetna to begin legal action.

Aetna is looking for a ‘hold harmless’ ruling which will see the Aetna safeguarded from all liability, damages, payments and claims with regard to the mailing. With the result of other lawsuits forthcoming, further investigations being carried out by state attorneys general, and a possible HIPAA breach penalty from the Department of Health and Human Services’ office for Civil Rights (OCR), the final cost of the mailing mistake could be well in excess of $20 million.

Along with seeking compensation, Aetna is also attempting to get KCC to return or destroy all confidential data provided to permit the firm to complete mailing.

KCC refutes the claims and its general counsel, Drake Foster, referred to Aetna’s claims are ‘demonstrably false.’


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy