TRENTON – Attorney General Gurbir S. Grewal announced today that New Jersey has entered into a settlement agreement with Aetna, Inc. to resolve allegations that the company improperly disclosed protected health information of thousands of Americans, including hundreds of New Jersey residents.
The settlement is the result of a multi-state investigation focused on two separate privacy breaches by Aetna that occurred in 2017 -- one involving a mailing that potentially revealed information about addressees’ HIV/AIDS status, the other involving a mailing that potentially revealed individuals’ involvement in a study of patients with atrial fibrillation (or AFib). New Jersey coordinated with Connecticut, Washington and the District of Columbia in conducting the investigation and negotiating a resolution.
Under the terms of the settlement, Aetna will put in place policy, protocol and training reforms designed to safeguard individuals’ protected health information, and ensure the confidentiality of mailings containing that information. The company also will hire an independent consultant to evaluate and report on its privacy protection practices, and to monitor its compliance with the settlement’s injunctive terms. In addition, Aetna will pay a civil penalty of $365,211.59 to New Jersey.
“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” said Attorney General Grewal. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”
The multi-state investigation revealed that Aetna inadvertently disclosed HIV/AIDS-related information about thousands of individuals across the U.S. -- including approximately 647 New Jersey residents -- through a third-party mailing on July 28, 2017. The envelopes used in the mailing had an over-sized, transparent glassine address window, which revealed not only the recipients’ names and addresses, but also text that included the words “HIV Medications.”
A class action lawsuit filed on behalf of individuals affected by the HIV/AIDS mailer has been settled, pending approval from a federal court, for over $17 million in compensation to class members.
The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals concerning a study of patients with AFib. The envelopes for the mailing included the name and logo for the study – IMPACT AFib – which could have been interpreted as indicating that the addressee had an AFib diagnosis. Approximately 186 New Jersey residents were included in the AFib mailing.
New Jersey and the other investigating states alleged that Aetna not only violated the federal Health Insurance Portability and Accountability Act (HIPAA), but also state laws pertaining to the protected health information of individuals in general, and of persons with AIDS or HIV infection in particular. (The New Jersey AIDS Assistance Act, for example, prohibits the disclosure of any record that contains identifying information about a person who has, or is suspected of having, AIDS or HIV, without the person’s written consent or statutory authorization.)
The investigating states also alleged that the two data breaches contravened Aetna’s representations to enrollees – laid out on the company website -- that Aetna would safeguard their private health information through “extensive operational and technical protections” and its “commitment to information privacy and compliance with legislation such as HIPAA and state privacy laws.”