Aetna Pays $1,000,000 to Settle Three HIPAA Breaches

Today, the U.S. Department of Health and Human Services (HHS) announced that Aetna Life Insurance Company and its affiliated covered entity (Aetna) has agreed to pay $1,000,000.00 to the HHS Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). In addition, Aetna will enter into a corrective action plan to address the issues that gave rise to the alleged violations.

OCR’s investigation revealed, among other things, that Aetna: failed to periodically evaluate operational changes affecting the security of electronic protected health information (PHI); failed to limit PHI disclosures in compliance with the minimum necessary standard; and failed to put in place appropriate safeguards to protect PHI.

Of note, two of the self-reported breaches of HIPAA involved improperly designed physical mailings. In the first breach, which occurred in July 2017, Aetna reported that it sent benefit notices to members via mail, but that the words “HIV medication” were visible through the envelope window. This breach affected 11,887 individuals. A similar breach, which occurred in September 2017, resulted from mailings that contained the name and logo of a research study on the outside of the envelope. The inclusion of this information enabled a viewer to identify that the recipient was a participant in the research study, as well as the condition being treated in the research. This breach affected 1,600 individuals.

A separate breach involved web design and security. In June 2017, Aetna reported that two member portals did not properly secure plan-related documents, enabling the log-in process to be bypassed. This allowed internet search engines to inspect and index the PHI contained within these portals. Aetna reported that 5,002 individuals were affected by this breach, and the PHI disclosed included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.

How Frier Levitt Can Help

Breaches can take many shapes or forms: from mailing errors, to unsecure websites, and cyberattacks. The mandatory breach reporting process will continue to be used by OCR to prompt audits of covered entities and business associates alike. As a result of these audits, the context leading to a breach will be reviewed, as well as an organization’s overall HIPAA compliance policies and procedures. As demonstrated in the Aetna settlement, OCR will penalize entities that fail to conduct regular risk analyses in response to changing operations or practices, as required by HIPAA. Regular risk analyses are intended to monitor and address evolving vulnerabilities that may compromise the privacy and security of PHI maintained by a particular organization. Contact Frier Levitt for assistance with both preventing and responding to a variety of HIPAA breaches and violations.