In August 2017, Liberty Nation looked at a tragic occurrence in privacy violation. Aetna had sent in the mail, instructions for filling medication prescriptions to patients currently being treated for HIV and Pre-exposure Prophylaxis (PrEP), a regimen that helps prevent a person from acquiring the disease.
The violation shocked and outraged recipients when they realized their private information about HIV medication was visible through the window on the envelope.
In January, Aetna reached a $17 million settlement in a federal class-action lawsuit accusing the company of privacy breach to almost 12,000 of its customers currently taking HIV medications. Once approved by the courts, all members of the class-action will receive between $75 and $500. There are funds also held for those who file individual claims with extenuating circumstances for pain and suffering.
Early last week, Aetna filed a lawsuit in federal court in Pennsylvania, stating that Kurtzman Carson Consultants LLC (KCC), an administrative support company for legal and financial businesses, is responsible for the mailing and “potentially disclosing” protected health information. KCC is a class-action settlement administrator, responsible for mailing documents and handling secure data. In the lawsuit, Aetna is asking for a “hold harmless” ruling, protecting the insurer from all liability, damages, payments, claims and other obligations related to the mailing. It is also seeking damages of at least $20 million.
Aetna hired KCC to be the administrator for two class-action lawsuits filed against Aetna in 2014 and 2015. Plan members had sued Aetna over an announced policy change that would have required them to fill prescriptions for HIV medications by mail, which felt discriminatory because it prevented patients taking HIV medicine from receiving in-person counseling from a pharmacist. However, from the insurer’s viewpoint, face to face conversations in public pharmacies could jeopardize members’ privacy. Aetna, represented by Gibson Dunn, ended up agreeing to allow health plan members to continue filling HIV prescriptions at their pharmacies and KCC was hired to send out notifications of the settlement for the privacy violation concerns.
The engagement included mailing settlement notices and processing claims. Aetna’s legal team alleges that KCC knew, or should have known, that it was handling confidential, protected health information, including HIV-related data. Specifically, it should have known that the words “HIV Medications” were referenced in the notice below the recipient’s name and address.
The Same Problem Again!
The irony lies in that the response letters sent out by KCC were for settlements of previous privacy violation concerns. The notifications were a calamity. They included transparent windows displaying not just the names, addresses and claim numbers of Aetna members but also revealed wording that referenced “when filling prescriptions for HIV medications.” The settlement notifications contained sensitive information subject to public exposure. The very same issue the whole litigation was intended to avert.
In an article published in the Hartford Courant last week, Drake D. Foster, general counsel at KCC, said in an email Tuesday that the company denies the allegations, which he called “demonstrably false.” He added,“KCC deeply empathizes with people affected by this incident and intends to respond to Aetna consistent with the rights and responsibilities related to this matter.”
The very next day, a KCC subsidiary filed a new suit to a Los Angeles federal court blaming Aetna and its lawyers for failing to protect the privacy of Aetna customers. KCC contends that “Aetna and its attorneys knew that windowed envelopes were being used in the mailings in question,” and furthermore, “KCC provided samples of the letters to Aetna, and those letters demonstrated that windowed envelopes would be used. The complaint states “both the insurer and Gibson approved the form and content of the letters before they were transmitted.”
An article in Reuters on February 7th summed up the debacle candidly and bluntly:
“For both Aetna and KCC, as you can see from the dueling complaints, responsibility for the botched settlement notifications is an existential question. As a health insurer, Aetna has a moral and legal obligation to protect patient privacy. As a claims administrator, KCC is supposed to know – of all things! – How to mail out a settlement notification without violating recipients’ privacy. If clients and customers cannot rely on Aetna and KCC to do their jobs, they will turn to competitors. Whoever screwed up the HIV settlement notice will be dogged by the mistake for years to come.”
No doubt the finger pointing will continue, costing millions of dollars in legal fees and penalties which ultimately get passed on to the patients. With no one wanting to accept blame or take accountability, it is just another tentacle of the “healthcare crisis” in America.