Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response
Aetna Fined $1 Million After 3 Data Breaches
Among the 2017 Incidents Was a Mailing Mishap Exposing HIV InformationFederal regulators have slapped health insurer Aetna with a $1 million HIPAA settlement for three 2017 breaches - including a mailing incident that exposed HIV information - that occurred within six months.
The incident involving the exposure of nearly 12,000 health plan members’ HIV information previously resulted in $3 million worth of settlements in 2018 and 2019 with several state attorneys general plus a $17.2 million class action lawsuit settlement (see: Aetna Fined Yet Again for Exposing HIV Information).
HIPAA Deficiencies
In a statement Wednesday, the Department of Health and Human Services’ Office for Civil Rights says its investigation into the three incidents involving impermissible data disclosures revealed a number of HIPAA deficiencies. Those deficiencies included failing to:
- Perform periodic evaluations of operational changes affecting the security of electronic protected health information;
- Implement procedures to verify the identity of people or entities seeking access to ePHI;
- Limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure;
- Have in place appropriate administrative, technical and physical safeguards to protect the privacy of PHI.
“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna's failure to follow the HIPAA rules resulted in three breaches in a six-month period, leading to this million dollar settlement," said OCR Director Roger Severino.
Aetna Statement
In a statement provided to Information Security Media Group, Aetna, which was acquired in 2018 by CVS Health, says: “Protecting our members’ privacy is a responsibility we take very seriously. We’ve entered into a settlement agreement with the OCR related to incidents that occurred in 2017, during which personal health information was inadvertently exposed.
"These incidents occurred prior to Aetna becoming part of CVS Health and did not involve any of the company’s other businesses. We have since updated our processes and procedures to further protect member information and are working cooperatively with OCR to further enhance our policies related to privacy and security.”
3 Breaches
OCR says that Aetna submitted a breach report stating that on April 27, 2017, it discovered that two web services used to display documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by vinternet search engines. The insurer reported that about 5,000 individuals were affected by this breach.
In a second breach report filed in August 2017, the insurer said benefit notices were mailed to members using window envelopes. Shortly after the mailing, Aetna received complaints from members that the words "HIV medication" could be seen through the envelope's window below the member's name and address, OCR notes. Aetna reported that almost 12,000 individuals were affected by this incident.
In the third breach reported in November 2017, a research study mailing sent to Aetna plan members contained on the envelope the name and logo of the atrial fibrillation research study in which they were participating. Aetna reported that 1,600 individuals were affected (see Aetna Hit with More Penalties for Two Breaches).
'Root Causes'
The investigation into the root causes of the breaches reported by Aetna highlights the need for effective information assurance programs safeguarding PHI in all forms and formats, says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"Organizations with successful programs employ a risk-based approach that identifies where sensitive consumer information is created and stored, looks at how access to data is managed and monitored as well as ensures a comprehensive plan for physical and technical controls to protect data," he says.
"Healthcare organizations that mitigate vulnerabilities identified through a risk-based approach to safeguarding data are continually evaluating the adequacy of their approach against new and evolving threats as well as changes to their business environment or the way they are creating or using sensitive consumer information."
Corrective Action Plan
The resolution agreement with Aetna includes a corrective action plan that calls for the insurer to:
- Develop, maintain and revise its HIPAA policies and procedures;
- Make sure those policies and procedures address performing periodic evaluations in response to environmental or operational changes affecting the security of PHI; authenticating those seeking access to PHI; limiting the disclosure of PHI to what is minimally necessary to accomplish a given purpose; and applying appropriate administrative, technical, and physical safeguards to protect the privacy of PHI;
- Distribute those policies and procedures to its workforce and provide training.
Other Enforcement Actions
The settlement with Aetna follows a string of a dozen other recent HIPAA enforcement actions by OCR in recent months.
Those include a series of cases involving patients’ right to access their records and three multimillion-dollar settlements following breaches involving hacking incidents (see HHS Issues Another Right of Access Settlement).
The largest of the recent actions was a $6.8 million settlement with Premera Blue Cross after a 2014 breach that exposed information on 10.4 million individuals.