Aetna agreed to pay $935,000 to settle a lawsuit alleging that it violated California health privacy laws for revealing patients’ HIV status.
The state’s Attorney General Xavier Becerra filed the complaint against Aetna. Becerra alleged that the insurance company failed to fulfill its legal obligation to preserve the confidentiality of medical information when its vendor committed a mailing error in July 2017. The vendor sent letters Aetna members using envelopes with a large, clear window, disclosing that the recipient is taking HIV-related medications.
The mailing error affected 12,000 Aetna members nationwide including 1,991 Californians.
The insurance company was negligent because it did not take proper steps to protect the medical information of its members. It violated the Confidentiality of Medical Information Act, Health and Safety Code section 120980, the State Constitution, and the Unfair Competition Law, according to the attorney general.
Attorney General Becerra says Aetna “violated public’s trust”
In a statement, Becerra said, “A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare. Aetna violated the public’s trust by revealing patients’ private and personal medical information. We will continue to hold these companies accountable to prevent such a gross privacy violation from reoccurring.”
Aetna reached a settlement agreement with the Attorney General’s office on Wednesday. In addition to the $935,000 payment, the insurance company agreed to implement and maintain specific mailing procedures that protect the confidentiality of medical information.
These procedures include steps to make sure medical information is not visible to third party through the envelopes. Aetna will develop training materials and implement training requirements about medical information mailing procedures. It will appoint an employee responsible for implementing and maintaining its revised mailing program, compliance with state and federal privacy laws, and management of external vendors handling medical information
Furthermore, the insurance company agreed to complete an annual privacy risk assessment for three years to determine its compliance with the terms of the settlement.