par John R. Fischer
, Senior Reporter | October 30, 2020
Aetna Life Insurance Company and its affiliate covered entity, Aetna, will pay a $1 million settlement for potential violations of HIPAA Privacy and Security Rules.
The health insurance company allegedly breached HIPAA (Health Insurance Portability and Accountability Act) protocol three times over a six-month period in ways that exposed private patient information and failed to perform proper security evaluations of its electronic personal health information (ePHI), according to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services.
"When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure,” said OCR Director Roger Severino in a statement. “Unfortunately, Aetna's failure to follow the HIPAA rules resulted in three breaches in a six-month period, leading to this million-dollar settlement.”
The breaches all date back to 2017, with the first occurring in April of that year when Aetna found that plan-related documents of its health plan members on two web services it used could be accessed without login credentials. This allowed various internet search engines to index the documents, leading to the disclosure of the names, insurance identification numbers, claim payment amounts, procedure service codes, and dates of service for 5,002 individuals.
The second occurred in July, in which Aetna received complaints about benefit notices it mailed to members using window envelopes. The words, “HIV Medication, could be seen through the envelope windows below the names and addresses of 11,887 individuals. Following it was a third incident in September in which the name and logo of an atrial fibrillation research study were listed on the envelopes used to send the study to Aetna plan members participating in it. This breach affected 1,600 individuals.
An investigation by OCR into these potential violations found that Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their ePHI; implement procedures to verify the identity of patients or anyone else trying to access ePHI; limit PHI disclosures to the minimum number of people necessary for use or disclosure; and put in place proper administrative, technical and physical safeguards to protect PHI privacy.
Aetna has agreed to implement a corrective action plan that includes two years of monitoring. The plan will include developing written policies and procedures that comply with federal regulations around the privacy of individually identifiable health information; performing periodic technical and nontechnical evaluations on environmental or operational changes that affect PHI security; implementing procedures to verify that a person or entity seeking access to PHI is the one claimed; limiting the number of people necessary who can access PHI for specific purposes; and implementing appropriate administrative, technical, and physical safeguards for PHI in mailing. In addition, all Aetna workforce members with access to PHI will receive specific training on policies and procedures.
Aetna did not respond for comment.