It is believed that healthcare data breach that saw the protected health information of clients of CVS Caremark impacted has lead to legal action against CVS, Caremark, and its mailing supplier, Fiserv.
The legal action, which was submitted in Ohio federal court on March 21, 2018, relates to a presumed privacy breach that happened due to a mistake that affected a July/August 2017 mailing broadcast sent to almost 6,000 patients.
In July 2017, CVS Caremark was hired to manage as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark supplies eligible patients with HIV medications and corresponds with them about medications.
In July/August 2017, CSV Caremark’s mailing supplier Fiserve issued letters to patients containing their membership cards and data about how they could receive their HIV prescriptions.
In the legal action the complaint claims HIV-related data was clearly visible through the plastic windows of the envelopes, allowing the data to be seen by postal service workers, family members, and roommates. It is claimed the mailing resulted in the revealing of the recipient’s HIV status.
As per Ohio Department of Health policies, information that refers to HIV should only be broadcast in non-window envelopes. The mailing would have breached those policies and Health Information Portability and Accountability Act (HIPAA) Rules.
Such a HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days of discovery of the breach; however, the complainant claims no breach report was filed to OCR and alerts were not sent to affected people – An additional breach of HIPAA Rules.
Plaintiffs are suing for punitive and compensatory damages and coverage of their legal expenses.
There have been further breaches of HIV information over the last while, including a mailing mistake by a supplier of Aetna. In that case, HIV-related data could be seen through the clear plastic windows of envelopes in a mailing to 12,000 people. Aetna settled a class action lawsuit submitted on behalf of victims of the HIPAA violation for $17,161,200 and is currently suing its mailing supplier to recover the expenses. The New York Attorney General also fined Aetne in relation tothe breach and settled that case for a figure of $1.15 million.