For some of these customers, a plastic window on the envelope exposed not only the patient’s name and address, but also a reference to filling prescriptions for HIV medications. This meant that whoever picked up the mail that day — a family member, a friend, a postal worker — would have been able to see the confidential information, according to the Legal Action Center and the AIDS Law Project of Pennsylvania. It is not known exactly how many customers were affected.
Attorneys from both legal groups wrote to Aetna on Thursday demanding that the company immediately stop sending customers mail that “illegally discloses that they are taking HIV medication.” It also demanded that the insurer take necessary measures to make sure such a breach doesn’t happen again.
The legal groups wrote on behalf of Aetna customers in Arizona, California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania and the District of Columbia, according to their letter. The attorneys have so far received 23 complaints regarding the misstep, and more continue to come in, CNN reported.
“This type of mistake is unacceptable,” the company said in a statement, Bloomberg reported. “We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members.”
Aetna was first made aware of the possible breach on July 31, the company said in a letter sent to affected customers, uploaded online by CNN. After investigating the issue, Aetna confirmed that a vendor in charge of the mailing had used a window envelope, and “in some cases, the letter could have shifted through the window.”
“Regardless of how this error occurred, it affects our members and it is our responsibility to do our best to make things right,” Aetna said. “We will work to ensure that proper safeguards are in place to prevent something similar from happening in the future.”
The letters were sent to customers taking medications for HIV treatment as well as for pre-exposure prophylaxis (PrEP), which helps prevent HIV, according to the legal groups. The errors have caused “incalculable harm” to Aetna customers, the attorneys wrote.
“Aetna’s privacy violation devastated people whose neighbors and family learned their intimate health information,” Sally Friedman, legal director of the Legal Action Center, said in a statement. “They also were shocked that their health insurer would utterly disregard their privacy rights.”
Many of these customers have filed complaints with agencies such as the Office of Civil Rights of the Department of Health and Human Services, the legal firms wrote.
Beyond violating the law, Aetna’s “casual disclosure” of a patient’s HIV status “creates a tangible risk of violence, discrimination and other trauma,” Friedman said.
Despite medical advances, “widespread stigma still exists against people living with HIV,” the legal groups wrote in a statement. This can lead to discrimination in employment, housing and education.
LGBT rights group Lambda Legal, one of the many organizations contacted by customers affected, tagged Aetna in a tweet Thursday, saying, “Shame on you.”
“You’ve effectively fanned the flames of #HIV stigma,” Lambda Legal wrote. “You need to fix this.”