Health care company Aetna potentially revealed the HIV status of thousands of customers after sending out letters with their details clearly visible through the envelope window.
The letters, which were sent by Aetna to around 12,000 people, were “meant to relay a change in pharmacy benefits,” according to Stat News.
HIV status of thousands revealed on envelopes mailed by insurer.
— joe rojas-burke (@rojasburke) August 24, 2017
“Text visible through a small window on the envelopes listed the patients’ names and suggested a change in how they would fill the prescription for their treatment for the virus,” they reported. “Legal Action Center, working with the AIDS Law Project of Pennsylvania, called on Aetna to cease and desist the mailings and to remedy the mistake. Those organizations and other privacy and AIDS advocacy groups had heard from individuals in eight states and the District of Columbia.”
Sally Friedman, a legal director at the Legal Action Center, claimed, “People have been devastated.”
“We’ve had a number of people tell us they had chosen not to disclose their HIV status to family members — but this is how their family members found out,” she explained. “People with any private health conditions can just imagine, whether you’re being treated for cancer or a behavioral condition, just imagine having that flat out on the front of an envelope for anyone to see. It should be a grave concern to everyone.”
Though Aetna claimed that only some envelopes were affected, adding that, “The letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window,” Friedman stated that the error existed in every instance they had seen.
“We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members,” declared a spokesman for Aetna following complaints. “This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again.”
The incident could violate the Privacy Rule of the 1996 Health Insurance Portability and Accountability Act (HIPAA), which requires “health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared.”
The act “applies to all forms of PHI, including paper, oral, and electronic.”