On October 28, 2020, the US Department of Health and Human Services (“HHS”) announced that its Office of Civil Rights (“OCR”) had reached a settlement with Aetna Life Insurance Company and affiliated entities to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
HHS’s investigation began after Aetna reported to OCR in June 2017 that two web services used by Aetna allowed access to 5,002 individuals’ protected health information without login credentials. Thereafter, in August 2017, Aetna reported a second breach, in which benefit notices were mailed to 11,887 members, using window envelopes that exposed the words “HIV medication” along with the name and address of the plan members. Finally, in November 2017 Aetna reported a third breach that exposed the name and logo of a research study in which 1,600 plan members were participating.
HHS contends that its investigation found that Aetna failed to: 1) perform periodic evaluations to respond to operational and environmental changes affecting information security, 2) implement procedures to verify the identity of persons seeking access to protected health information, and 3) limit the disclosure of protected health information to a reasonable and justifiable amount. According to HHS, these failures contributed to the disclosure of the protected health information of 18,489 individuals.
Aetna denies HHS’s findings and that it violated the HIPAA rules. In settling with HHS, Aetna did not admit any liability, but did agree to pay $1,000,000 and to undertake corrective action. The corrective action plan includes two years of monitoring and reporting, implementation of a training program, and adoption of policies and procedures designed to protect health information and comply with the security and privacy rules.