Aetna has agreed to pay $17 million to settle a federal class-action lawsuit after the health insurance company mailed out envelopes that accidentally revealed thousands of patients’ HIV status.
The settlement, announced Wednesday, concerns a mass mailing that Aetna sent to patients in the summer of 2017. The lawsuit alleged that Aetna committed a privacy breach by giving its law firm and a mail vendor the names and confidential health information of 13,487 customers who’d been prescribed HIV medications. (By settling, Aetna is not admitting to wrongdoing.)
Nearly 12,000 of those people then received large-windowed envelopes that, even when unopened, showed that they were prescribed HIV medications, according to the lawsuit. These patients are entitled to receive at least $500 each under the settlement.
An additional 1,600 or so patients did not have their HIV status revealed in the mail, but Aetna still improperly shared their names, the lawsuit alleged. That group of people stands to receive $75 each under the settlement.
The breach affected patients who were both taking treatments for HIV and medication to prevent it, according to the lawsuit, which was filed in August in US District Court for the Eastern District of Pennsylvania. In some cases, the mass mailing caused patients to be kicked out of their homes or damaged their relationships with friends, relatives, and neighbors, the plaintiffs alleged.
The settlement “sends a really strong message to people living with or at risk of HIV that their privacy is valued and those who violate privacy laws will pay a steep price,” Sally Friedman, an attorney at the Legal Action Center, one of the groups behind the lawsuit, told BuzzFeed News.
Overall, the lawsuit’s plaintiffs spanned 27 states and Washington, DC.
The lead plaintiff — an anonymous man taking the HIV prevention medication known as PrEP — said in a press release, “HIV still has a negative stigma associated with it, and I am pleased that this encouraging agreement with Aetna shows that HIV-related information warrants special care.”
The lawsuit alleged that Aetna violated both the federal patient privacy law, the Health Insurance Portability and Accountability Act (HIPAA), and several state laws explicitly designed to protect the privacy of HIV patients.
In a statement, an Aetna spokesperson said that the company was taking steps to prevent future privacy breaches.
“Through our outreach efforts, immediate relief program, and this settlement we have worked to address the potential impact to members following this unfortunate incident,” the spokesperson said. “In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”