Aetna Life Insurance Company and the affiliatedcovered entity (Aetna) has agreed to pay $1,000,000 to the Office for CivilRights (OCR) at the U.S. Department of Health and Human Services (HHS) and toadopt a corrective action plan to settle potential violations of the HealthInsurance Portability and Accountability Act (HIPAA) Privacy and SecurityRules. Aetna is an American managed health care company that sells traditionaland consumer-directed health insurance and related services.
In June 2017, Aetna submitted a breach report toOCR stating that on April 27, 2017, Aetna discovered that two web services usedto display plan-related documents to health plan members allowed documents tobe accessible without login credentials and subsequently indexed by variousinternet search engines. Aetna reported that 5,002 individuals were affected bythis breach, and the protected health information (PHI) disclosed includednames, insurance identification numbers, claim payment amounts, proceduresservice codes, and dates of service.
In August 2017, Aetna submitted a breach report toOCR stating that on July 28, 2017, benefit notices were mailed to members usingwindow envelopes. Shortly after the mailing, Aetna received complaints frommembers that the words "HIV medication" could be seen through theenvelope"s window below the member"s name and address. Aetna reported that11,887 individuals were affected by this impermissible disclosure.
In November 2017, Aetna submitted a breach reportto OCR stating that on September 25, 2017, a research study mailing sent toAetna plan members contained the name and logo of the atrial fibrillation(irregular heartbeat) research study in which they were participating, on theenvelope. Aetna reported that 1,600 individuals were affected by thisimpermissible disclosure.
OCR"s investigation revealed that in addition tothe impermissible disclosures, Aetna failed to perform periodic technical andnontechnical evaluations of operational changes affecting the security of theirelectronic PHI (ePHI); implement procedures to verify the identity of personsor entities seeking access to ePHI; limit PHI disclosures to the minimumnecessary to accomplish the purpose of the use or disclosure; and have in placeappropriate administrative, technical, and physical safeguards to protect theprivacy of PHI.
"When individuals contract for healthinsurance, they expect plans to keep their medical information safe from publicexposure. Unfortunately, Aetna"s failure to follow the HIPAA Rules resulted inthree breaches in a six-month period, leading to this million dollarsettlement," said OCR Director Roger Severino.
In addition to the monetary settlement, Aetna willundertake a corrective action plan that includes two years of monitoring. Theresolution agreement and corrective action plan may be found at: