Aetna members living with HIV are demanding the health insurance company immediately stop a practice which violates federal and state privacy laws and exposes them to potential discrimination. Recently, the insurer sent instructions in the mail for filling medication prescriptions to patients currently being treated for HIV and Pre-exposure Prophylaxis (PrEP), a regimen that helps prevent a person from acquiring the disease. The violation shocked and outraged recipients when they realized their private information about HIV medication was visible through the window on the envelope.
Aetna responded on August 2nd that a third-party vendor handling outgoing mail sent approximately 12,000 letters on July 28th. In a public statement, Aetna said “We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members. This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again.”
According to Sally Friedman, legal director at Legal Action Center, “People have been devastated. We have had some people tell us they had chosen not to disclose their HIV status to family members — but this is how their family members found out.” On Thursday, attorneys sent a demand to Aetna on behalf of individuals in Arizona, California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania, and Washington, D.C calling for an immediate end to the letters in the current form. The law firms say they have received 23 complaints, with more expected. Right now, it is challenging to determine the extent of monetary and personal damages.
HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time. These types of lawsuits usually settle outside of the courts. The companies pay penalties and review, refine and monitor the processes to minimize the risk of the violation happening again in the future.
Most healthcare providers and insurance companies spend hundreds of thousands of dollars every year to educate employees to reduce the risk of data breach, theft, and mistakes (human error) which lead to leaks of patient’s private information. Compliance and IT departments have staff who work diligently around the clock to minimize the risk of exposure and continue to increase high-cost cyber insurance coverage. It is nearly impossible to keep up with rapidly changing technology and the ever increasing sophistication of hackers.
One might read about this incident and wonder why Aetna was so careless and why they didn’t supervise the vendor more closely. Both good questions and the insurer will no doubt pay for their lack of attention. The fact of the matter is that trying to cover every aspect of patient care and monitoring all related data can be like drinking from a fire hose. Today’s healthcare crisis is not limited to the high cost of premiums and making coverage available to all citizens. Obamacare also had provisions to make delivery of care more efficient and affordable. However, the haphazard way it was rolled out resulted in costly increases in reporting requirements.
A visit to your local emergency department reveals firsthand the inefficiencies in identifying who you are and what type of insurance you carry, typically referred to as front-end collection. The information is then electronically sent to the billing department, the insurance carrier, the business informatics department, and local pharmacy just to name a few. Every place your private data resides, whether on paper or in cyberspace, it is subject to being compromised. The risks are too numerous to list, hence the fire hose reference.
I am not saying the recent experience of Aetna customers is excusable; not at all, they deserve compensation for damages, and Aetna should be accountable to pay penalties and tighten controls. I believe this was a horrible violation of what we Americans need to protect with a vengeance: our privacy. Unfortunately, that is a tall order, if not impossible in the current healthcare environment.