– The Department of Health and Human Services Office for Civil Rights announced it reached a $1 million settlement with Aetna to resolve potential HIPAA violations stemming from three separate patient data breaches in 2017.
The insurance giant has already settled a class-action lawsuit filed by breach victims in January 2018 for $17 million, as well as California for $935,000 in January 2019 and other state attorneys general for more than $600,000 in October 2018.
The OCR settlement stems from three security incidents reported to the agency in 2017. On April 27, Aetna discovered two misconfigured web service apps used to display plan-related documents to health plan members caused those documents to be accessible by various search engines without the need for authorization. The data was also indexed by the search engines online.
A reported 5,002 individuals were impacted by the event, which compromised protected health information, such as names, insurance ID numbers, claim payment amounts, service codes, and dates of services.
While in August 2017, the insurer reported to OCR that benefit notices were sent to members using window envelopes that revealed the words “HIV medication” below the member’s name and address of about 11,887 plan members.
Aetna reported yet another mailing error in November 2017, where research study participants were sent letters with the name and logo of the atrial fibrillation study directly on the envelope. A reported 1,600 plan members were impacted by the incident.
The OCR audit that followed revealed that, in addition to these impermissible disclosures, Aetna failed to perform the HIPAA-required periodic technical and nontechnical evaluations for operational changes that could affect the security of electronic PHI.
Aetna also failed to implement policies or procedures meant to verify the identity of entities seeking access to ePHI, as well as limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure.
OCR also found the insurer did not implement appropriate administrative, technical, and physical safeguards to protect the privacy of the PHI in its possession.
“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure,” OCR Director Roger Severino said in a statement. “Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement.”
Aetna agreed to pay OCR the civil monetary penalty and has entered into a corrective action plan that includes two years of monitoring.
Under the CAP, Aetna is required to develop, maintain, and revise, when necessary, its written HIPAA policies and procedures regarding the privacy of PHI, then distribute the guidance to its workforce.
The policies must include processes for performing evaluations of environmental and operation changes that could impact PHI security, as well as verification procedures for those seeking PHI access and create the minimum necessary requirements for accessing PHI.
Aetna must also implement the appropriate administrative, technical, and physical safeguards to protect PHI privacy in its mailings. Any workforce members who interact with PHI must also be trained on these new policies.
In the last month, OCR has restarted announcements of civil monetary penalties stemming from potential HIPAA provisions, including HIPAA Right of Access, after a serious lull amid the COVID-19 pandemic.