Can Aetna Recover After Catastrophic Confidentiality Breach? Public Health Watch Report

Aetna, the third-largest insurer in the United States, inadvertently sent HIV-positive patients letters that revealed their HIV status through a large, clear window envelope.

Health insurance provider Aetna ran commercials in the 1980s with the tagline, “Aetna, I’m glad I met ya.”

However, it’s unlikely 12,000 of the company’s customers, all of whom are HIV-positive, agree with that sentiment these days. That’s because Aetna, the third-largest insurer in the United States, with more than 46.7 million “covered lives”—and more than $63 billion in annual revenues, according to its most recent figures—sent these patients instructions on new options available to them for filling prescriptions for antiviral treatments and preexposure prophylaxis (PrEP) in envelopes with “a large, clear window,” as a CBS News report reads.

This set-up revealed the contents of the letter and therefore the health status of the recipients. Ironically, the letters themselves were mailed following the settlement of a class-action lawsuit, which had accused Aetna and other insurance carriers of discriminating against patients with HIV/AIDS by requiring them to fill prescriptions via mail order.

The information displayed included patients’ first and last names, addresses, and in some cases, a reference to filling prescriptions for HIV-related treatment. No specific medication name was visible, nor was any statement indicating specifically that the patients had been diagnosed with HIV/AIDS.

The AIDS Law Project of Pennsylvania, which bills itself as “the nation’s only independent nonprofit public-interest law firm” that provides free legal services to those with HIV and AIDS, filed a class-action lawsuit on August 28, 2017 on behalf of affected Aetna customers, and their families, who received letters, which were postmarked July 28, 2017. The letters were sent to customers in California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania, and Washington, DC.

“For 40 years, HIV-related public health messages have been geared toward assuring people that it’s safe to come forward to get confidential HIV treatment, and now our clients come forward for HIV-related healthcare and Aetna fails to provide confidentiality,” Ronda B. Goldfein, executive director of the AIDS Law Project of Pennsylvania, said in a statement. The AIDS Law Project co-filed the class-action suit with the Legal Action Center and Berger & Montague, a Philadelphia-based law firm. In another statement, Sally Friedman, Legal Director of the Legal Action Center, said “Aetna’s privacy violation devastated people whose neighbors and family learned their intimate health information. They also were shocked that their health insurer would utterly disregard their privacy rights.”

A photo of the mailing, along with a letter from the plaintiffs in the lawsuit to the insurance company can be found here. To date, according to the AIDS Law Project, 23 letter recipients have complained to its offices. The lead plaintiff in the lawsuit is a 52-year-old Pennsylvania resident who currently receives PrEP.

As Contagion® reported recently, although advancements in HIV treatment have helped make the disease a manageable chronic condition in most patients, those who are positive, particularly women and older adults, still have to deal with the stigma surrounding the infection. That these letters were sent across the United States cannot have been helpful for many of the recipients, many of whom remain vulnerable to discrimination, according to advocacy groups.

To be fair, though, Aetna has been lauded for going above and beyond in customer service in the not-so-distant past, even using social media to address member concerns, a 2013 NPR news report notes. Press reports suggest that the company became aware of the problematic mailings within 3 days of the postmark date. Officials from the company told the press this week that, after investigating the issue, they had confirmed that an outside vendor in charge of the mailing had used a windowed envelope, and “in some cases, the letter could have shifted through the window.” Sources not affiliated with Aetna indicated to Contagion® that the vendor had been selected by the plaintiff in the earlier lawsuit, as part of the notification process for the settlement.

In an official statement, an Aetna spokesperson added, “We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members. This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again.”

Sources have provided Contagion® with a copy of a letter sent to the 12,000 Aetna members affected by the mailing snafu. It was mailed prior to the story breaking in the mainstream press over the weekend. It reads, in part, “Regardless of how this error occurred, it affects our members and it is our responsibility to do our best to make things right. We will work to ensure that proper safeguards are in place to prevent something similar from happening in the future. We serve nearly 45 million people, and are entrusted to protect their personal health information at all costs. When that trust is broken, no matter how big or small the impact, it is on us to earn it back. We hope to do that here.”

Brian P. Dunleavy is a medical writer and editor based in New York. His work has appeared in numerous healthcare-related publications. He is the former editor of Infectious Disease Special Edition.