Aetna breaches cost them $1 million to be paid to HIPAA

The healthcare insurance giant Aetna has reached a settlement of $1 million dollars for violating HIPAA regulations.

Aetna had been accused of disclosing their customers’ information under three instances of the breach. Besides this, Aetna has time & again violated a number of regulations put down by HIPAA for the safety of users’ data.

As a result of the settlement, Aetna will now be liable to pay $ 1 million dollars to the Department of Health and Human Services’ Office for Civil Rights (OCR) violations. Besides this, Aetna has also promised to take stricter steps in order to protect their users’ data.

Aetna’s breaches & regulatory violations

The major concern regarding Aetna was the three data breaches that consecutively happened in the year 2017. Details of these breaches are as follows – 

• In April 2017, two web services made health-plan related documents available to the users on the internet. But these documents were made available without any authentication of the users. Anyone could easily access that information without any authentication. Around 5002 people were affected by this breach.
  
• This incident was followed by another breach in July of 2017. Herein, the impermissible data was disclosed in mailings. These mailings were sent in window envelopes to individuals who were a part of a study. They were benefit notices for those receiving HIV medication for treatment or prophylaxis. These notices sent to nearly 11887 people had the words ‘HIV medication’ visible in the window below their name & address.
  
• In the third incident which happened in September of 2017, quite similar to the 2nd incident mailings were sent to 1600 patients with an irregular heart rhythm. The names of the Atrial Fibrillation Research Study was mentioned in the envelope window below their name & address. 

But it wasn’t only about the above-mentioned breaches which risked the privacy of over 18000 individuals. According to HIPAA, Aetna has also violated a number of their other regulations from time to time. These violations came into light during the OCR investigations. These include

• In the violations of 45 C.F.R. § 164.308(a)(8), Aetna had risked the security of their ePHI (electronic PHI) by failing to perform periodic technical & nontechnical evaluations. 

• Violating  45 C.F.R. § 164.312(d), the organization didn’t implement verification procedures for the identity of individuals seeking access to their ePHI.
  
• By not limiting the disclosure of ePHI to the minimum necessary information in order to achieve the disclosure purpose, Aetna violated 45 C.F.R. § 164.514(d).
  
• Lastly, due to the lack of proficient administrative, technical & physical safeguards to ensure the protection of PHI, the company violated 45 C.F.R. § 164.530(c).

Big mistakes cost Aetna BIG!

When users trust organizations like Aetna with sensitive information like their healthcare data, they trust them. In cases like these, where this trust is breached, it can hamper the organization’s growth highly.

On the subject of this settlement, OCR Director Roger Severino said, ‘Individuals contracting for health insurance, expect plans to ensure the safety of their medical information from public exposure.

Unfortunately, Aetna’s failure to comply with HIPAA Rules resulted in 3 breaches within a 6-month period. This finally led to this million-dollar settlement.’

But this isn’t the first time that Aetna is paying millions for their misconduct. In the year 2018, for the HIV Medication mailing incident, Aetna settles for a class action lawsuit. This was filed on behalf of the victims and was settled for $17 million.

Besides the said penalty, Aetna will also have to adapt to a corrective action plan in order to address all areas of HIPAA noncompliance that were discovered by OCR. Also, Aetna will be closely scrutinized for noncompliance with the HIPAA Rules for 2 consecutive years.