Aetna settled a lawsuit for $17 million Wednesday over a data breach that happened in the summer of 2017. The privacy of as many as 12,000 people insured by Aetna was compromised in a very low-tech way: the fact that they had been taking HIV drugs was revealed through the clear window of the envelope.
"Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident," Aetna wrote in a statement. "In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information."
In an ironic twist, the letters were sent in response to a settlement over previous privacy violation concerns. Aetna had required members to obtain HIV medications through mail-order pharmacies. The affected people had taken medication to treat HIV or to lower the risk of becoming infected with the virus, an approach called PrEP, or pre-exposure prophylaxis.
Lawsuits filed in 2014 and 2015 alleged that policy was discriminatory, that it prevented patients taking HIV medicine from receiving in-person counseling from a pharmacist and that it jeopardized members' privacy.
Aetna settled with the individual plaintiffs, changed its policy to allow members to fill HIV prescriptions in person at retail pharmacies, and, in turn, sent out notification letters to anyone who had filled prescriptions for HIV medications.
It was those letters that contained a large envelope window that exposed that sensitive HIV information.
"I was shocked," said Sam, who distinctly recalls the day he received the notice in August. (NPR agreed not to use his full name because of worries about how going public with his status might affect his work.) The letter came to his mailbox in an apartment complex in New Jersey. He wasn't directly involved in the lawsuit but says the letter hit a level of vulnerability he had never felt before.
"I haven't disclosed my HIV status to my parents," he said. "Let's say that letter had gotten forwarded to their house and someone happened to open the mail. Those were the types of things going through my mind."
Sam, 36, is a civil rights attorney. He was diagnosed with HIV four years ago,
While the stigma surrounding HIV may be less severe than it used to be and treatments have most certainly improved, Ronda Goldfein, director of the AIDS Law Project of Pennsylvania, says the reality is that serious discrimination still exists. That means protecting patient confidentiality is critical to ensuring people feel safe getting care.
As hundreds of calls from people who received the Aetna letter started coming into Goldfein's office and others around the country, she learned of even more harrowing and devastating experiences. She says she heard from one man who had homophobic slurs painted on his door when neighbors saw the letter. Others had to move out of their neighborhoods. For one woman, whose status became known in her tight-knit immigrant community, "she stopped being able to function, she stopped being able to go to work, and she lost her job," Goldfein said.
The AIDS Law Project of Pennsylvania and the Legal Action Center initially issued a demand letter in late August that the insurer stop the mailings. The company responded, setting up a relief fund for affected people and apologizing. "This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again," the health insurer said.
Goldfein and others soon discovered that the mailing was more widespread than first thought: Up to 12,000 people had received it. Her agency, the Legal Action Center and Berger & Montague PC filed a lawsuit and sought class-action status.
Aetna "carelessly, recklessly, negligently, and impermissibly revealed HIV-related information of their current and former insureds to their family, friends, roommates, landlords, neighbors, mail carriers and complete strangers," the lawsuit states. "In the course of sending out the agreed notices, however, Aetna again failed to recognize the dangers associated with sending information about HIV medications through the mail."
The privacy breach as outlined in the proposed settlement was twofold: Aetna released the names of 13,480 people to its legal counsel and a vendor without proper authorization. Of those, 11,875 got the letter that revealed they were taking HIV medication.
The proposed settlement is awaiting approval in federal court, but in it Aetna has agreed to pay$17,161,200 and set up new "best practices" to prevent something like this from happening again.
As part of the payout, the law firms are setting aside at least $12 million for payments of at least $500 to the estimated 11,875 people who may have received a letter exposing that information, acknowledging that "the harm was in the status being disclosed," according to Goldfein. Plus, people won't have to file additional paperwork and go through more mailings pertaining to their HIV medications.
A fund will be set up for those who experienced additional financial or emotional distress. Individuals will be able to claim up to $20,000. The rest of the money will go toward legal fees and costs.
In a review of past privacy settlements, Goldfein believes the Aetna settlement marks the largest per person payout for any kind of data breach. Either way, "that's a big settlement," according to William McGeveran, a specialist in privacy law and data breaches at the University of Minnesota.
"It's a much bigger settlement than ordinary identity theft scenarios where an online database has been breached and the main injury people are claiming is that they might be victims of identity theft and maybe have their financial information compromised," he said.
The amount may be unusual, but McGeveran also says low-level breaches like this aren't. Companies may be so focused on IT security that they overlook other ways that privacy can be breached.
"They're more common than people realize," McGeveran said. "There's so much attention to cybersecurity, and rightly so, but a lot of medical privacy concerns are much more analog than that. They're about things being overheard, they're about paper records and in this case it's about a paper mailing."
For Goldfein, reaching a settlement in just 4 1/2 months was a relief to her client and others and underscores that medical privacy is a right for everyone.
"It was important for us to send a clear message to people with HIV that your medical information is important, that it will be protected, that we will take quick action to make sure that it is protected," she said.
Beyond the payout itself, she hopes the suit helps change the culture of companies when it comes to the attention paid to medical privacy, and the rights of people with HIV in particular. To highlight that, lawyers used "Andrew Beckett" as the pseudonym for the original plaintiff in the case, a Pennsylvania man from Bucks County.
It's a nod to the Tom Hanks character in the 1993 film Philadelphia, who was fired after his law firm found out he had HIV. This "Beckett" is taking PrEP.
"HIV still has a negative stigma associated with it, and I am pleased that this encouraging agreement with Aetna shows that HIV-related information warrants special care," Beckett said in statement.
This story is part of a reporting partnership with NPR, WHYY and Kaiser Health News.