Aetna pays $1 million to settle three HIPAA breaches

Aetna Life Insurance Company and its affiliated covered entity agreed to pay $1 million to the Office for Civil Rights (OCR) and to adopt a corrective action plan to settle three potential HIPAA violations that occurred in 2017.

The first incident occurred on April 27, 2017, according to the resolution agreement. Aetna discovered that two of its web services used to display documents to health plan members allowed those documents to be accessible without proper log-in credentials. Aetna reported that 5,002 individuals were affected by this breach. Information potentially accessed included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.

The second incident occurred on July 28, 2017, when benefit notices were mailed to members using envelopes. Shortly afterward, Aetna received complaints that the words “HIV medication” could be seen through the envelope’s window below the individual’s name and address. This impermissible disclosure affected 11,887 individuals, according to Aetna.

The final incident occurred on September 25, 2017. The name and logo of an atrial fibrillation research study appeared on the envelope mailed to participants. Aetna reported that 1,600 individuals were affected by this impermissible disclosure.

In addition to the impermissible disclosures, Aetna failed to perform periodic technical and nontechnical evaluations of operational changes that affected the security of electronic protected health information (ePHI), according to an OCR investigation. Aetna also failed to implement procedures to verify the identities of individuals seeking access to ePHI and to limit PHI disclosures to the minimum necessary to accomplish the purpose of the disclosure. Finally, Aetna did not have appropriate administrative, technical, and physical safeguards in place to protect PHI.

Aetna agreed to implement a corrective action plan that includes updated written policies and procedures addressing individual or entity verification, minimum necessary requirements, and administrative, technical, and physical safeguards. The new policies and procedures must be implemented within 120 days of HHS approval, according to the resolution agreement.

The corrective action plan includes two years of monitoring.

The agreement does not represent an admission of wrongdoing by Aetna.