Privacy & Cybersecurity Law Blog

On January 23, 2018, the New York Attorney General announced that Aetna Inc. (“Aetna”) agreed to pay $1.15 million and enhance its privacy practices following an investigation alleging it risked revealing the HIV status of 2,460 New York residents by mailing them information in transparent window envelopes. In July 2017, Aetna sent HIV patients information on how to fill their prescriptions using envelopes with large clear plastic windows, through which patient names, addresses, claims numbers and medication instructions were visible. Through this, the HIV status of some patients was visible to third parties. The letters were sent to notify members of a class action lawsuit that, pursuant to that suit’s resolution, they could purchase HIV medications at physical pharmacy locations, rather than via mail order delivery.

In addition to the monetary penalty, the settlement also requires Aetna to change its standard mailing practices and hire an independent consultant to oversee its compliance with the terms of the settlement. A spokesperson for Aetna said that the company is “implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”