The Legal Wrangling over Aetna’s HIV Data Breach Continues

In January, Aetna settled two suits stemming from a high-profile breach of HIV data. Aetna’s breach of Super Protected Data which occurred when the insurer sent letters to roughly 12,000 members that exposed their HIV status. The letters were processed and mailed by KCC, a company Aetna had contracted with to notify the same consumers about the settlement of two class action lawsuits from 2014 and 2015. The prior lawsuits charged that Aetna’s former practice of requiring them to obtain HIV medications via mail order, rather than from local pharmacies, also violated their privacy because the medications were delivered in refrigerated containers and would expose the HIV status of the package recipients to anyone who saw the packages.

In May, Aetna announced that, in addition to its suit against KCC filed in February, it is now suing the nonprofit Consumer Watchdog, and the law firm of Whatley Kallas, LLP. This firm is representing one of plaintiffs, “John Doe”, in the 2014 lawsuit challenging Aetna’s practice of mandating HIV patients obtain their prescription medicines by mail order, rather than by being able to go to their local pharmacies.

All this legal activity by Aetna is in attempts to recoup some or all of the $20 million dollars it has been ordered to pay as result of the window-envelope breach, resulting from lawsuits filed by the AIDS Law Project of Pennsylvania and the Legal Action Center in New York on behalf of plaintiffs in multiple states.

Aetna claims that the lawyers from Consumer Watchdog and Whatley Kallas LLP should have prevented Aetna from sending out the envelope exposing peoples’ HIV status. Additionally, Aetna is asking a California court to prevent the lawyers from Whatley Kallas from representing their plaintiff, John Doe, on the grounds that it is the lawyers, and not Aetna, who are responsible for the harm caused to John Doe’s privacy.

It remains to be seen if Aetna will be successful any of the blame or cost burden to other organizations through these lawsuits. Even if it does, as the Covered Entity, the ultimate responsibility belongs to Aetna.