Life insurance firm settles multiple incidents dating back to 2017
A life insurance company that suffered three separate data breaches in one year has agreed to pay a $1 million settlement for breaking US healthcare data privacy regulations.
Aetna Life Insurance Company, based in Connecticut, US, will pay the sum to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HSS), after it admitted the 2017 breaches violated rules.
It will also adopt a corrective plan, a statement from the HSS reads, following the violations of the Health Insurance Portability and Accountability Act (HIPAA).
The first incident on April 27, 2017, breached 5,002 individuals’ data, including protected health information (PHI), names, and insurance details.
The HHS release explains: “Two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines”.
Later that year, on July 28, Aetna customers complained that benefit notices mailed using window envelopes left their personal medical details visible.
The words ‘HIV medication’ could reportedly be seen. Aetna said that 11,887 people were affected by this second breach.
Finally, on September 25, 2017, a letter sent to Aetna plan members contained the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating, on the envelope.
Aetna reported that 1,600 individuals were affected by this lapse.
An OCR investigation ruled that in addition to the human error breaches, Aetna failed to perform regular evaluations of the security of its electronic PHI (protected health information); failed to implement procedures to verify the identity of those seeking access to electronic PHI; did not limit PHI disclosures to the minimum necessary; and failed to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure,” said OCR Director Roger Severino.
“Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement.”
Although a million-dollar settlement may indeed sound extreme, it is far from the largest penalty to have been enforced as a result of HIPAA violations.
The biggest payout to date was agreed in 2018, when health insurance company Anthem paid OCR a $16 million settlement.
The privacy violation settlement relates to a high profile cyber-attack between December 2014 and January 2015, which resulted in the personally identifiable information of 79 million people being exposed.
Names, dates of birth, and Social Security numbers were among the details stolen in the hack.
A statement from the Department of Health and Human Services blamed Anthem’s “inappropriate” security measures.
However, a spokesperson from the insurance company at the time said it did not accept any wrongdoing.