December 4, 2020

Volume X, Number 339

Advertisement

December 03, 2020

Subscribe to Latest Legal News and Analysis

December 02, 2020

Subscribe to Latest Legal News and Analysis

December 01, 2020

Subscribe to Latest Legal News and Analysis

HIPAA Breach by Aetna Results in $1,000,000 Payment to Resolve

On October 28, 2020 the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced that Aetna Life Insurance Company (and the affiliated covered entity, Aetna) agreed to pay $1,000,000 and enter into a corrective action plan for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  This is a result of three separate HIPAA breaches.

According to HHS, the first breach was discovered on April 27, 2017 and reported in June of 2017.  Aetna had discovered that information on one of its webpages was not protected by a login and had been indexed by internet search engines.  Over 5,000 individuals were affected, with the breach including their names, insurance identification number, claim payment amount, procedure services codes and dates of services.

The second breach occurred on July 28, 2017 and was reported in August of 2017.  Aetna had mailed out benefit notices using window envelopes.  The window showed the words “HIV medication” below the member’s name and address for 11,887 individuals.

The third breach occurred on September 25, 2017 and was reported in November 2017.  Aetna had sent a research study mailing to plan members containing the name and logo of the atrial fibrillation research study in which the members were participating on the envelope for 1,600 individuals.

According to the HHS press release, its investigation also found that “Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.”

Read the HHS Resolution Agreement and the Corrective Action Plan.

©2020 Strassburger McKenna Gutnick & GefskyNational Law Review, Volume X, Number 303
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Danielle L. Dietrich SMGG Attorney Pittsburgh, PA
Shareholder

Danielle L. Dietrich, Shareholder in the Pittsburgh Office of SMGG, focuses her practice in the areas of women and diverse-owned businesses, healthcare, elder law and litigation.  She has a broad range of experience in providing legal counsel and advice to her clients (both large and small), as well as having handled a wide range of disputes and litigation in Pennsylvania, Ohio and West Virginia.

A large portion of Ms. Dietrich’s practice focuses on the representation of women and diverse-owned businesses.  That practice includes assisting these...

(412) 281-5423
Advertisement
Advertisement