The health care company Aetna mailed envelopes that revealed the HIV status of some of its customers in multiple states, according to the Legal Action Center and the AIDS Law Project of Pennsylvania.
The legal organizations and six other organizations are representing the customers, a group of whom are devastated after friends and neighbors saw the envelopes and learned of their status, the firms said in a news release. Attorneys sent a demand letter to Aetna on Thursday on behalf of those affected, calling on the company to stop sending letters in this format and develop a plan to change its practices.
Aetna said the letters went to about 12,000 customers; the law firms say they have received 23 complaints, with more coming in.
There are victims of this breach from all over the country, including one who lives 15 miles from Aetna's headquarters and works in the insurance industry.
He said the company's apology is too little too late.
When Jorge Gallo of Middletown received a letter from Aetna he noticed something strange.
We've protected his privacy, but anyone who glanced down at the envelope could see sensitive information.
"The window is so large you actually can read the first three sentences of the letter. You can read about half of the actual letter if you had it open...it goes to the point where you can read the individual conditions," Gallo said.
Thousands of people received similar letters. Jorge who suffers from high blood pressure wasn't worried about his privacy but is angry because all of the victims that may have debilitating illnesses they wanted to keep private.
"High blood pressure, you know a ton of people have it. The flip side of that is, what if you have a cardiac condition, PTSD, or anything else. I have friends who have children who've been overseas and they're the ones who are really affected by this. And there [are] employers who won't employ you for that," Gallo said.
Two legal organizations claim Aetna revealed the HIV status of patients in several states with the mailer and that some victims relatives and neighbors learned about their conditions.
"I'd sue the hell out of them. There are going to be people who are very affected by this. There's people who are gonna need extra clinical help. Unfortunately a lot of those people are the folks who don't have healthcare plans and are most at risk. Whose gonna pay their additional medical bills, whose gonna pay for the therapy it's gonna take," Gallo said.
Aetna has apologized for the mistake. They said the breach happened because a third party vendor incorrectly used a window envelope, but they are taking responsibility writing in a statement, "we sincerely apologize to those affected. This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again."
But Jorge believes the mea culpa only goes so far. He believes the insurer owes victims specifics about exactly what went wrong and how they can be sure no one is ever victimized in the same way.
"They've taken responsibility, that's great. What makes me think the next time you pass data off to somebody it's not gonna be misused, mishandled or just spread all over the internet," Gallo said.
Over the last two days Aetna has sent this letter, which we have obtained to all of the victims with more information about the breach.
[CITY] [STATE], [ZIP]
RE: Notification of Privacy Breach
Dear [Insert Individual’s Name]:
We are writing to notify you of a privacy breach that may have involved some of your health information. Most importantly, we want to apologize if you have been affected. We understand how important your privacy is, and this type of mistake is unacceptable.
Here is what happened:
The breach occurred on July 28, 2017, when a letter related to a change in your pharmacy benefits and access to medications was sent to you. On July 31, 2017, we were first made aware that, in some cases, personal health information was visible through the window of the envelope used to send the letter.
Upon learning of the issue, we took immediate steps to investigate what happened. We then confirmed that the vendor handling the mailing had used a window envelope, and, in some cases, the letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window. On August 2, 2017, we determined this incident may have caused a breach of your protected health information.
Regardless of how this error occurred, it affects our members and it is our responsibility to do our best to make things right. We will work to ensure that proper safeguards are in place to prevent something similar from happening in the future.
Types of information involved:
The information displayed in the envelope’s window was your first name, last name, address, and in some cases, a reference to filling prescriptions for [certain] medications. The viewable information did not include the name of any particular medication or any statement that you have been diagnosed with a specific condition. Your Social Security number, bank account information and credit card information were not included in the letter.
2 We take the privacy of member information very seriously and deeply regret that this incident occurred. If you have any questions related to the original lawsuit settlement, please call 800- 326-5608. This phone line is toll-free and operates 24 hours per day, seven days per week.
You also have the right to file a complaint with the Office of Civil Rights of the U.S. Department of Health and Human Services. You can send your complaint by mail to: Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W.. Room 509F HHH Bldg., Washington, D.C. 20201.
Alternatively, you can send a complaint by email to OCRComplaint@hhs.gov.
We serve nearly 45 million people, and are entrusted to protect their personal health information at all costs. When that trust is broken, no matter how big or small the impact, it is on us to earn it back. We hope to do that here.
Cynthia Bates Chief Privacy Officer
Copyright 2017 WFSB (Meredith Corporation). All rights reserved.