Traps to Avoid: Aetna, HIPAA and the $17+ Million Envelope Mishap
When mailing sensitive personal medical information to patients, it is probably best to avoid transparent window envelopes. One of America’s biggest health insurance companies just learned this lesson the hard way—to the tune of $17.2 million. The Lawsuit That staggering total is what Aetna agreed to pay on Jan. 16 to settle a federal class action lawsuit by beneficiaries accusing the insurance giant of compromising their privacy by mailing them HIV medication information in an envelope with a transparent window. The July 2017 mailing which inadvertently revealed the patient’s name, address and start of the letter, was sent to 12,000 beneficiaries taking medication for HIV, or PrEP, a pre-exposure prophylactic pill to prevent HIV. Ironically, Aetna sent the letter in response to beneficiaries’ privacy concerns about having to obtain their HIV meds from mail-order pharmacies. The Fallout The story takes on a grotesque dimension when you consider the hundreds of millions of dollars firms like Aetna invest each year to secure the personal medical data with which they are entrusted from high-tech hacking and cyber-attack. But to the extent it serves as a reminder of the potential of lowtech breaches to do life-shattering privacy damage, the Aetna debacle might prove […]
When mailing sensitive personal medical information to patients, it is probably best to avoid transparent window envelopes. One of America's biggest health insurance companies just learned this lesson the hard way—to the tune of $17.2 million.
The Lawsuit
That staggering total is what Aetna agreed to pay on Jan. 16 to settle a federal class action lawsuit by beneficiaries accusing the insurance giant of compromising their privacy by mailing them HIV medication information in an envelope with a transparent window. The July 2017 mailing which inadvertently revealed the patient's name, address and start of the letter, was sent to 12,000 beneficiaries taking medication for HIV, or PrEP, a pre-exposure prophylactic pill to prevent HIV. Ironically, Aetna sent the letter in response to beneficiaries' privacy concerns about having to obtain their HIV meds from mail-order pharmacies.
The Fallout
The story takes on a grotesque dimension when you consider the hundreds of millions of dollars firms like Aetna invest each year to secure the personal medical data with which they are entrusted from high-tech hacking and cyber-attack. But to the extent it serves as a reminder of the potential of lowtech breaches to do life-shattering privacy damage, the Aetna debacle might prove a long-term positive.
The Takeaway
First and most obvious, remember that window envelopes and medical information can be hazardous mix. As for post cards, don't even think about it. Finally, labs and other providers would do well to take heed of the privacy measures the settlement agreement imposes on the administrator in charge of executing and notifying the affected Aetna beneficiaries of the settlement:
- The envelope containing the notice must obscure the envelope's contents;
- The return address must be devoid of any identifying information other than a P.O. box, city, state and ZIP Code; and
- There must be a statement on the envelope front stating: "Confidential Legal Information—To Be Opened Only By The Addressee."
Subscribe to view Essential
Start a Free Trial for immediate access to this article