On October 28, 2020 the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced that Aetna Life Insurance Company (and the affiliated covered entity, Aetna) agreed to pay $1,000,000 and enter into a corrective action plan for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  This is a result of three separate HIPAA breaches.

According to HHS, the first breach was discovered on April 27, 2017 and reported in June of 2017.  Aetna had discovered that information on one of its webpages was not protected by a login and had been indexed by internet search engines.  Over 5,000 individuals were affected, with the breach including their names, insurance identification number, claim payment amount, procedure services codes and dates of services.

The second breach occurred on July 28, 2017 and was reported in August of 2017.  Aetna had mailed out benefit notices using window envelopes.  The window showed the words “HIV medication” below the member’s name and address for 11,887 individuals.

The third breach occurred on September 25, 2017 and was reported in November 2017.  Aetna had sent a research study mailing to plan members containing the name and logo of the atrial fibrillation research study in which the members were participating on the envelope for 1,600 individuals.

According to the HHS press release, its investigation also found that “Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.”

Read the HHS Resolution Agreement and the Corrective Action Plan.