Through an Open Window: Aetna’s Super Protected Data Breach and its Aftermath

Most HIPAA breaches making headlines these days are the result of ransomware or cyberattacks. But, Aetna has been embroiled in controversy recently due to a HIPAA breach involving snail mail. The breach touches on several issues, including the type of data breached, the way that data was breached, and the multiple organizations and various ways in which the data may have been mishandled along the way.

The Breach

The breach occurred in July 2017, when Kurtzman Carson Consultants, LLC (KCC), a class action settlement administrator retained by Aetna, sent letters to roughly 12,000 Aetna plan members notifying them of a class action settlement. Sounds simple enough, doesn’t it?

Unfortunately, KCC sent these letters in transparent window envelopes, which resulted in information about the members’ healthcare being clearly visible. And, the information visible pertained to the members’ use of HIV medications.

This breach is believed to be the largest data breach involving HIV privacy, and many recipients have reported suffering significant harm as a result of the mailing.

Ironically, the letter was sent to these Aetna plan members to notify them about the settlement of two other privacy lawsuits from 2014 and 2015, concerning Aetna’s procedures for its members to acquire their HIV medications.

Judgements Against Aetna

The breach was discovered when members began to receive the letters, and the response was swift. In August 2017, attorneys from the AIDS Law Project of Pennsylvania and Legal Action Center in New York, sent a demand letter to Aetna on behalf of individuals in multiple states, calling for an immediate end to the mailing.

Both organizations, along with Berger & Montague, P.C. a class action and civil litigation law firm based in Philadelphia, followed the demand letter with a class action lawsuit against Aetna. The lawsuit was settled In January 2018 for $17.2 million. A second lawsuit, filed with the New York State Attorney General’s Office, was settled for $1.15 million against Aetna. That suit included both the HIV medication breach, as well as a second mailing to 163 members in an envelope with a logo that potentially linked those members to an atrial fibrillation research study.

The Second Wave of Lawsuits

Last week Aetna struck back, filing suit in Pennsylvania federal court against KCC, the company that completed the mailing, for gross negligence.

KCC immediately counter-sued Aetna, also naming Aetna’s legal counsel, Gibson Dunn, in the suit. KCC alleges that Aetna and Gibson Dunn violated the Minimum Necessary Rule in its transmission of PHI to KCC, and that Gibson Dunn sent information about the Aetna members to KCC via unencrypted email. While the unencrypted email did not cause this particular breach, it certainly raises eyebrows about Gibson Dunn’s compliance with the HIPAA Security Rule, and may earn the firm a visit from the Office for Civil Rights for a HIPAA Compliance Audit.

Super Protected Data

Yet another factor to consider, at least in Pennsylvania, is its standing as a HIPAA-plus state. In a HIPAA-plus state, the laws protecting the use and disclosure of certain types of health information, called “super protected data”, are more stringent than and supersede, federal HIPAA rules. HIV status and treatment, along with mental health and substance abuse treatment information are all classified as super protected data in Pennsylvania.

What Comes Next

It appears that there is plenty of blame to share for this breach among Aetna, KCC and Gibson Dunn. What remains to be been; however, is whether Aetna will be successful in shifting some of the cost burden to these other organizations. Even so, as the Covered Entity, the ultimate responsibility belongs to Aetna.