Aetna to Pay N.Y. $1.15M to Settle HIV Status Privacy Breach

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Aetna Inc. settled Jan. 23 with the New York attorney general over claims the insurance provider sent letters that exposed, through a transparent address window, the HIV status of 2,460 state residents.

The insurance provider will pay $1.15 million in civil penalties under the settlement agreement. Aetna didn’t admit fault under the agreement, but agreed to update privacy protections for personal health information and hire outside consultants to monitor compliance with the settlement.

The agreement demonstrates that companies handling sensitive health information not only need to employ electronic data security safeguards, but protect sensitive personal information from public view or face the risk of regulatory enforcement.

“Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members,” N.Y. Attorney General Eric Schneiderman (D) said in a Jan. 23 statement. The office alleged violations of New York state health privacy laws and the federal Health Insurance Portability and Accountability Act (HIPAA), which prohibit the disclosure of sensitive health information.

The settlement stems from Schneiderman’s July 2017 investigation of Aetna in which his office found that Aetna sent letters with a “large transparent glassine window that could easily reveal the HIV status” of health plan members, according to the settlement announcement. The way the letters were put into the envelopes allowed people to see “individuals’ names, addresses, and claim numbers, as well as the first several lines of the letter containing instructions related to HIV medications,” according to the announcement.

The investigation exposed another alleged Aetna health data breach. The insurance provider in September 2017 sent 163 letters to state residents containing health research study materials. Aetna used envelopes that clearly showed the logo of the trial study, “which could have been interpreted as indicating that the recipient member” had a health condition, the settlement announcement said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security