Unsecured Websites and Envelopes Lead to $1,000,000 Settlement for HIPAA-Covered Entity

November 10, 2020

Aetna Life Insurance Company and an affiliated covered entity (Aetna) agreed to pay $1,000,000 to the OCR and to implement a corrective action plan in order to resolve an investigation into potential violations of HIPAA. The investigation arose from the disclosure of personal health information in correspondence and web-based services.

On April 27, 2017, Aetna discovered that two of its web services that displayed plan-related documents to health plan members could be accessed without entering login credentials and was indexed by various internet search engines. The breach disclosed the names, insurance identification numbers, claim payment amounts, procedures service codes and dates of service for 5,002 individuals. In June 2017, Aetna submitted a breach report to OCR.

On July 28, 2017, Aetna mailed benefit notices to members in windowed envelopes that revealed the words “HIV medication” to anyone who looked through the window. This breach affected 11,887 people. Aetna submitted a breach report to OCR regarding this matter in August 2017.

On September 25, 2017, a research study sent correspondence to Aetna members participating in an atrial fibrillation study with the name and logo of the study on the envelope, thus revealing the fact that the recipients may have an irregular heartbeat. This breach affected 1,600 people and Aetna submitted a breach report regarding this matter in November 2017.

While investigating these disclosures, OCR alleged that Aetna “failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.”

The breach resulted in a settlement in which Aetna agrees to pay the OCR $1,000,000 and implement policies and procedures that comply with federal guidelines for maintaining the confidentiality of personal health information within 90 days, and submit annual reports of its compliance.

Although these HIPAA violations were perpetrated by a health insurance carrier, employer plan sponsors should review their HIPAA policies and procedures for compliance. Correspondence and web services that deal with personal health information should be carefully reviewed in order to ensure that they comply with federal confidentiality guidelines. Additionally, health plans with access to ePHI should ensure the security of that data.

Settlement Agreement »
Press Release »