The letters, which were sent out on July 28, originally meant to inform members of a change in pharmacy benefits. However, the texts seen through a small window on the envelop showed the patients' names and suggestions about changes in filling up prescriptions.
"People have been devastated. We’ve had a number of people tell us they had chosen not to disclose their HIV status to family members — but this is how their family members found out. People with any private health conditions can just imagine, whether you’re being treated for cancer or a behavioral condition, just imagine having that flat out on the front of an envelope for anyone to see. It should be a grave concern to everyone," Sally Friedman, legal director at Legal Action Center told Stat News online.
Legal Action Center worked with the AIDS Law Project of Pennsylvania to urge the insurer to cease the mailings and to address the mistake. Both organizations as well as other privacy and AIDS advocacy groups have received complaints from patients across eight states -- including Arizona, California, Georgia, and Illinois as well as New Jersey, New York, Ohio, and Pennsylvania -- and the District of Columbia.
The groups also noted that affected patients have already filed complaints with the Health and Human Services Office for Civil Rights (HHS-OCR) or other state authorities.
In response, a letter sent by Aetna to affected members suggested that personal information was only visible in some cases. Likewise, the health insurance giant also noted that the letter did not include any statement indicating that a member was diagnosed with any specific condition. However, Friedman insisted that all the letters the advocacy groups examined visibly displayed the information.
The letter also contained the company's explanation about the error. According to Aetna, the letters sent to their members last month could have shifted in a way that allowed the sensitive information to be visible through the envelop window.
"[The company] confirmed that the vendor handling the mailing had used a window envelope, and, in some cases, the letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window. Regardless of how this error occurred, it affects our members and it is our responsibility to do out best to make things right," the company's letter stated.
The company has since then issued an apology and remarked that the error will not happen again.
"This type of mistake is unacceptable. We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members. Regardless of how this error occurred, it affects our members and it is our responsibility to do our best to make things right. We will work to ensure that proper safeguards are in place to prevent something similar from happening in the future,” a company statement read.
Privacy breaches similar to those of Aetna's are subject to federal scrutiny under a 2009 law. According to the law, companies that are covered by federal health privacy laws ought to report data breaches that impact more than 500 individuals. A database containing information on data breaches recorded about 30 incidents in July alone.
However, the database did not divulge detailed information about the breaches. Medical companies often settle their violations with the HHS. In some cases, these companies pay millions of dollars as a fine. (Related: HIV vaccines cause 50 percent false positive rate in HIV tests.)
Sources include: