The insurer Aetna is still rebounding after the impermissible disclosure of members’ Protected Health Information (PHI) that resulted in a class action lawsuit.

Since the start of the lawsuit, Aetna has paid $17 million in addition to settlements with the Attorney Generals of New Jersey, Connecticut, and the District of Columbia who spearheaded the investigation of Aetna’s mishandling of plan member information, according to a recent HIPAA article.

In July of 2017, a mailer was sent by an Aetna business associate to nearly 12,000 individuals using windowed envelopes that allowed member names/addresses to be visible as well as the words “HIV Medications.”

Compounding on the slip-up in July was another similar mishap in September where approximately 1,600 plan members received mailers that once again allowed names and addresses to be visible in addition to an IMPACT AFib study logo.

Naturally both cases resulted in the potential exposure of members’ sensitive health diagnoses with regards to HIV status and Atrial Fibrillation.

New Jersey Attorney General Gurbir Grewal told HIPAA Journal: “Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures.” He went on to say. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”

District of Columbia Attorney General Karl A. Racine also weighed in on the importance of handling this sensitive information properly saying: “Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information.”

While the settlements have represented a significant step forward with regards to HIPAA supervised entities more appropriately safeguarding private information, it’s only the start for Aetna. The company is now attempting to recoup some of its losses from the ongoing legal debacle.

Aetna attempted to relieve some of the burden imposed by settlements by filing suit against Kurtzman Carson Consultants. Kurtzman Carson Consultants being the administrator that allegedly was responsible for sending the mailers without informing Aetna that windowed envelopes were the intended carriers.

Two more lawsuits were also filed against the law firm Whatley Kallas and the California-based advocacy group Consumer Watchdog. Both Whatley Kallas and Consumer Watchdog represented victims of a previous incident that catalyzed sending the notification mailers responsible for the breach in 2017. That violation of privacy was created when Aetna required HIV drugs to be sent to affected plan members using refrigerated containers as opposed to allowing the medications to be collected in person. It was argued that these containers would make their contents clear to outside parties thereby transgressing the recipients’ entitlement to privacy.

A back-and-forth debate has ensued with Aetna claiming that it was pushed to send sensitive information to Kurtzman Carson Consultants by Whatley Kallas and Consumer Watchdog despite being opposed to the idea. Harvey Rosenfield and Jerry Flanagan of Consumer Watchdog have pushed back against the claim saying that while they “held Aetna’s feet to the fire,” they were unaware that PHI was being sent using windowed envelopes.

Regardless, Aetna has forged ahead with its efforts to mitigate losses by alleging that said law firms were aware of a proposal to use windowed envelopes but failed to catch the error. Time will tell whether these allegations prove to be based in fact or are as Consumer Watchdog termed them “frivolous Claims.”

Protecting personal information, especially when it relates to health, is one of the most vital aspects of conducting business in an ever-evolving professional world. Sometimes it can become necessary to seek help when navigating such a potential minefield of legal ramifications. Visit HIPAAgps to help your organization achieve greater simplicity in compliance efforts and gain a better understanding of HIPAA compliance.