Aetna agrees to pay $17M in massive HIV privacy breach

Listen 4:02
A mailing from insurer Aetna breached the privacy of thousands of HIV positive members.

A mailing from insurer Aetna breached the privacy of thousands of HIV positive members. (Elana Gordon/WHYY)

Insurance company Aetna has agreed pay $17 million in a proposed settlement over widespread privacy violations involving sensitive HIV information.

In July, about 12,000 Aetna subscribers received letters from Aetna regarding an updated policy. But the plastic envelope window was so large it revealed part of the letter, including the phrase “prescriptions for HIV.”

When they learned of the privacy violation, the AIDS Law Project of Pennsylvania, and the Legal Action Center in New York and Philadelphia-based Berger & Montague, P.C. filed suit in late August.

The settlement (which still awaits a judge’s approval) and the short time it took to reach it come as a relief to Ronda Goldfein, a lawyer on the case and director of the AIDS Law Project of Pennsylvania.

“We often hear that people don’t get tested and treated because they are fearful that their private information will get out and they will be at risk of harm,” she said. “We believe that this settlement sends the message that your private info is protected and that you don’t need to be afraid to get medical care.”

Following the settlement announcement, Aetna released this statement:

“Through our outreach efforts, immediate relief program and this settlement, we have worked to address the potential impact to members following this unfortunate incident.  In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

The law firms are setting aside at least $12 million for base payments to those who’ve been affected. Under the terms of the settlement, each subscriber who received the letter will get a $500 check in the mail. That way, they won’t have to file additional paperwork and go through more mailings pertaining to their HIV medications. A separate fund will be set up for people to file for additional damages of up to $20,000. The rest of the money will go toward legal fees and costs.

Adrian Lowe (left), staff attorney with Aids Law Project and Ronda Goldfein, attorney and executive director of the Aids Law Project, hold a letter that was sent to thousands of Aetna members, revealing their HIV positive status through an over-large mailing window.
Adrian Lowe (left), staff attorney with AIDS Law Project, and Ronda Goldfein, attorney and executive director of the AIDS Law Project, hold a copy of a letter that was sent to thousands of Aetna members, revealing their HIV positive status through a large envelope window. (Elana Gordon/WHYY)

Extreme vulnerability

Sam’s jaw dropped when he got the letter at his New Jersey apartment. He could clearly read excerpts including a reference to “prescriptions for HIV” through the unopened envelope. He looked around, a little paranoid, about whether someone else might be able to see it.

“People say when their Social Security number is disclosed or there’s a data breech, they feel violated. I’ve been part of those things before but I never really felt it,” he said. “This, though, because it was my private health, and because that forms an aspect of my daily life — essentially every morning I get up, I take a pill to make sure I don’t spread something and to take care of my own health — just to be exposed like that, I really felt vulnerable,” he said.

WHYY is not using Sam’s real name, because he worries about how going public with his HIV status might affect his work. Additionally, his parents don’t know. But many others may be aware because of what the mailing revealed.

“We believe this is the largest data breach of HIV-related information ever,” Goldfein said.

In August, her office and several other legal aid groups began getting hundreds of complaints from people who had received the letter. Despite improvements in HIV treatment and a reduction in the stigma that surrounds the disease, discrimination is still a reality. Goldfein heard from at least a dozen people who had to move, after someone else saw the letter. One man found homophobic slurs painted on his door, she said. Another woman stopped being able to function when people in her tight-knit immigrant community learned of her HIV status.

“She stopped being able to go to work, and she lost her job,” according to Goldfein.

A “big settlement”

Her group filed a demand letter with Aetna, which led to the establishment of a special fund to address members’ damages and costs.

At the time, Aetna stated, “We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members. This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again.”

But when Goldfein and others realized how widespread the privacy breach was, they filed a suit seeking class-action status. Aetna has now agreed to settle the case for $17,161,200 and as part of that, set up new “best practices” to prevent anything like this from happening again.

“That’s a big settlement,” said Bill McGeveran, who specializes in privacy law at the University of Minnesota.

And while $17 million really stands out in the world of data breach lawsuits, he stressed that low-level breaches like this are not uncommon. Companies may be so focused on IT security, that they may overlook some other ways that privacy can be breached.

“They’re more common than people realize,” McGeveran said. “There’s so much attention to cybersecurity, and rightly so, but a lot of medical privacy concerns are much more analog than that. They’re about things being overheard, they’re about paper records, and, in this case, it’s about a paper mailing.”

For Goldfein, reaching a settlement of this amount in under five months is significant.

“It was important for us to send a clear message to people with HIV that your medical information is important, that it will be protected, that we will take quick action to make sure that it is protected,” she said.

The original plaintiff in the case is a Bucks County man who, in the lawsuit, went by the pseudonym Andrew Beckett. It’s a nod to the Tom Hanks character in the 1993 film “Philadelphia” who was fired once his law firm found out he had HIV. Jonathan Demme directed the film and died early last year.

“Jonathan’s movie created a shorthand for people to talk about HIV, to understand the rights of people with HIV,” said Goldfein. “We hope that this lawsuit will do the same thing.”

But perhaps in a sign of all the advances in HIV since the film, the Andrew Becket in this case doesn’t actually have HIV. He’s been taking the HIV meds as a form of pre-exposure phophylaxis therapy, or Pr-EP, a preventive treatment for someone at risk of HIV exposure.

“HIV still has a negative stigma associated with it,” said a news release from the AIDS Law Project. “I am pleased that this encouraging agreement with Aetna shows that HIV-related information warrants special care.”

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

50% of WHYY’s funding comes from donations made by people just like you.