Aetna Mistakenly Discloses Thousands of Patients HIV Status

About 12,000 people received mailed letters from Aetna last month with their HIV status disclosed on the envelope. According to news reports, the letters were meant to relay a change in pharmacy benefits. But text visible through a small window on the envelopes listed the patients’ names and suggested a change with regard to how they should fill the prescription for their HIV treatment.

Advocates with the Legal Action Center who are pushing Aetna to correct the mistake say people have been devastated by the unexpected disclosure. Apparently a number of these individuals had chosen not to disclose their HIV status to family members and this is how they found out. Aetna is in the process of notifying state and federal authorities about this horrible breach of privacy. The mailing was sent on July 28. Aetna has apologized for the inadvertent disclosure. Advocacy groups have so far heard from patients in eight states (including California) and the District of Columbia.

Privacy of Medical Records

Privacy breaches such as this one are horrifying, but they do occur with alarming frequency. A 2009 law requires companies that are covered by federal health privacy laws to report data breaches that affect more than 500 individuals. That database showed about 30 breaches in July alone. The breaches involved a variety of information from service codes to Social Security numbers. Healthcare companies often settle health privacy law violation cases with Health and Human Services and in some cases, end up paying millions of dollars in fines.

Under federal privacy laws, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, your medical records are considered confidential. However, there are many ways in which you could become the victim of improper disclosure of medical records through a data security breach, improper record maintenance, or unauthorized views of your patient files. Medical records may include your medical history, your family’s medical history, details about your lifestyle, past procedures, lab test results, medications, etc. Doctors and hospitals are required to get your written authorization in order to share such medical information.

What Can You Do?

If you have been a victim of such a breach, contact the entity responsible for the disclosure and request that the disclosed records be retrieved and the copies destroyed. Contact Health and Human Services to report the incident and request an investigation. If any HIPAA violations are uncovered during such an investigation, the agency may issue disciplinary action. You may also be able to file a class action lawsuit against the corporation or entity and receive damages you may have suffered as a result of the disclosure of your medical records or sensitive information. An experienced consumer class action lawyer with experience in medical privacy matters may be able to advice you regarding your options.