August 30, 2017; Gears of Biz
After a mailing to customers possibly revealed the HIV status of nearly 12,000 of its members, Aetna was forced to send out a second letter to do damage control, saying, “We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members.” No nonprofit organization wants to find itself in this situation, and organizations both large and small can learn from Aetna’s mistake.
How did a major health insurance company make such a tremendous privacy breach? A review of the case indicates it is actually an easy to mistake to make and any organization could conceivably end up in the same situation if the necessary precautions are not taken.
Aetna sent a letter to members who had HIV drug prescriptions to inform them of upcoming changes. According to an NPR report, the insurance company “confirmed that the vendor handling the mailing had used a window envelope, and, in some cases, the letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window.” Pictures included in the NPR report show just how large the window on the envelope was, and clearly show that the first few sentences of the letter as well as the full name of the patient are visible.
Several Aetna members have indicated that family members learned about their HIV status through this medical information breach. While private information being leaked in general is a violation of trust, this problem is compounded by the fact that HIV still carries a stigma and HIV positive individuals may face discrimination from not only family and friends, but also employers. As a result, The Legal Action Center and the AIDS Law Project of Pennsylvania have filed a class action lawsuit against Aetna contending that the insurance company violated the Health Insurance Portability and Accountability Act (HIPAA), which essentially protects patients’ personal health information. Aetna could face fines up to $50,000 per violation.
Many nonprofit organizations have access to private information such as HIV status, sexual orientation, disability status, and more. And yet, some of these organizations do not hold themselves to the high security standards set forth by HIPAA and risk inadvertently revealing information about their constituents. Even unassuming communications can imply medical information. For instance, a postcard invitation to a support group from an organization that serves people with HIV can imply that the recipient has HIV or someone close to them does. This is not to say that nonprofits should halt all communications, but they should have policies in place that prevent information leaks due to negligence, and this is the responsibility of the board to ensure.—Sheela Nimishakavi