Aetna to pay $1M to settle potential HIPAA violations

After reporting three breaches in 2017, Aetna Life Insurance Company has agreed to pay $1 million to the Office for Civil Rights of the U.S. Department of Health and Human Services to settle potential violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules, according to the Office for Civil Rights.

Aetna, a managed health care company that sells traditional and consumer-directed health insurance and related services, submitted three breach reports to the Office for Civil Rights in 2017.

The first report stated that in April 2017, Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines.

Aetna reported that 5,002 individuals were affected by this breach, and the protected health information disclosed included names, insurance identification numbers, claim payment amounts, procedures service codes and dates of service.

Later, in August 2017, Aetna submitted a breach report to the Office for Civil Rights stating that benefit notices were mailed to members using window envelopes. Shortly after the mailing, Aetna received complaints from members that the words "HIV medication" could be seen through the envelope's window below the member's name and address. Aetna reported that 11,887 individuals were affected by this impermissible disclosure.

And then, in November 2017, Aetna submitted a breach report stating that a research study mailing sent to Aetna plan members contained the name and logo of the atrial fibrillation research study in which they were participating on the envelope. Aetna reported that 1,600 individuals were affected by this impermissible disclosure.

According to the Office for Civil Rights, its investigation revealed that in addition to the impermissible disclosures, Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic protected health information; implement procedures to verify the identity of persons or entities seeking access to PHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical and physical safeguards to protect the privacy of PHI.

"When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure,” said Office for Civil Rights Director Roger Severino in the news release. “Unfortunately, Aetna's failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement.”

In addition to the monetary settlement, Aetna will undertake a corrective action plan that includes two years of monitoring.