Aetna has agreed to pay HHS’ Workplace for Civil Rights $1 million to resolve alleged HIPAA violations stemming from three separate incidents the medical health insurance big reported in 2017, the company stated Wednesday.
Aetna has been a subsidiary of CVS Well being since 2018.
Aetna in April 2017 found that two net companies the corporate used to show plan-related paperwork to members have been accessible to view on-line with out log-in credentials and have been subsequently listed by web serps. Simply over 5,000 members had their names, insurance coverage identification numbers, declare cost quantities and different data uncovered.
In July of that very same yr, Aetna mailed profit notices to members by means of which the phrases “HIV medicine” may very well be seen by means of home windows within the envelopes used to show addresses.
Almost 12,000 members had well being data uncovered as a part of the mailing error.
Lastly, in September 2017, Aetna reported one other mailing incident, during which a analysis challenge associated to atrial fibrillation mailed letters to members containing the brand and title of the analysis examine during which the members have been collaborating on the envelop. In complete, 1,600 members have been affected in that information breach.
OCR in its investigation into the three information breaches decided that Aetna hadn’t carried out procedures to restrict well being information disclosure and did not have acceptable administrative, technical and bodily safeguards in place to guard the privateness of members’ well being information.
“When people contract for medical health insurance, they anticipate plans to maintain their medical data protected from public publicity,” stated OCR Director Roger Severino in a press release. “Sadly, Aetna’s failure to observe the HIPAA Guidelines resulted in three breaches in a six-month interval, resulting in this million-dollar settlement.”
Along with the financial settlement, Aetna will implement a corrective motion plan that features HHS monitoring the insurer’s compliance with HIPAA for 2 years.
“Defending our members’ privateness is a duty we take very critically,” a CVS Well being spokesperson stated in an emailed assertion. “These incidents occurred previous to Aetna changing into a part of CVS Well being, and didn’t contain any of the corporate’s different companies. We’ve got since up to date our processes and procedures to additional defend member data and are working cooperatively with OCR to additional improve our insurance policies associated to privateness and safety.”