SACRAMENTO – California Attorney General Xavier Becerra today announced a $935,000 settlement resolving allegations that Aetna Inc. (Aetna) violated California health privacy laws in connection with its 2017 breach of patient confidentiality. Due to a mailing error, a vendor for Aetna sent letters to 1,991 Californians that revealed through an oversized clear window on mailed envelopes that the recipient was taking HIV-related medication.
“A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry,” said Attorney General Becerra. “Aetna violated the public’s trust by revealing patients' private and personal medical information. We will continue to hold these companies accountable to prevent such a gross privacy violation from reoccurring.”
Aetna is a health insurance company based in Connecticut. On July 28, 2017, Aetna mailed letters to approximately 12,000 people nationwide, including 1,991 Californians. The letters revealed through an enlarged window on the envelope that the recipient was taking HIV-related medication. Attorney General Becerra alleges that by breaching its customers’ confidential medical information, Aetna violated state law, including the Confidentiality of Medical Information Act, Health and Safety Code section 120980, the State Constitution, and the Unfair Competition Law.
The injunctive terms in today’s settlement require Aetna to implement and maintain specific mailing procedures that preserve the confidentiality of medical information. Included in these necessary procedures are steps to ensure that medical information is not visible through the window of the envelopes. Additionally, Aetna must designate an employee responsible for Aetna’s implementations and maintenance of the revised mailing program, compliance with state and federal privacy laws, and management of external vendors handling medical information in compliance with Aetna’s privacy policies and procedures. Aetna is also required to complete an annual privacy risk assessment evaluating compliance with the terms of the settlement for three years.
The victims have additionally received over $17 million in compensation through a private class action settlement.
Attorney General Becerra is committed to protecting consumer and individual privacy through civil prosecution of state and federal privacy laws. Since taking office in January 2017, he has announced a $148 million settlement with Uber for failing to notify regulators and users of a data breach; an $18.5 million settlement with Target for failing to provide reasonable data security; a $9.8 million settlement with Walgreens for failing to adhere fully to requirements imposed by California law for the dispensing of certain prescriptions drugs under Medi‑Cal; and a $3.5 million settlement with Lenovo for illegally preinstalling software that compromised the security of its computers.