Aetna Life Insurance Company (Aetna) has agreed to pay $1M to settle 3 HIPAA breach allegations. It will pay the U.S. Department of Health and Human Services and adopt a corrective action plan.
Aetna submitted a breach report to HHS in June 2017 disclosing that on April 27, 2019, Aetna discovered that two web services used to display plan documents to health plan members had the documents accessible without login credentials. 5,002 individuals were impacted by the breach and the visible information included names, insurance IDs, claim payment amounts, procedure codes and dates of service.
In August 2017, Aetna submitted a breach report to HHS disclosing that on July 28, 2017, Aetna discovered that benefit notices were mailed to members and the words “HIV medication” was visible through the envelope window. 11,887 individuals were impacted by the breach.
In November 2017, Aetna submitted a breach report to HHA disclosing that on September 25, 2017 a research study mailing sent to members included the name and logo of the research study on the envelope. 1,600 individuals were impacted by the breach.
HHS investigated and found that Aetna failed to perform periodic evaluations of operational changes impact the security of electronic protected health information, implement procedures to verify the identity of people seeking access to ePHI, and limit disclosures to the minimum necessary information. Therefore, HHS assessed a $1M penalty.
In addition to paying the penalty, Aetna will create a corrective action plan that includes 2 years of monitoring. The resolution agreement and corrective action plan may be accessed by clicking here.