Two legal advocacy groups have accused Aetna Inc. – the Hartford-based healthcare company – of “gross” breaches of privacy and confidentiality including violations of federal healthcare law when a third-party vendor inadvertently disclosed the HIV status of thousands of the insurer’s customers in a mass mailing.

On July 28, 2017, letters, which contained information about access to HIV medication, were sent to 12,000 Aetna policyholders. According to a notice from Aetna, a plastic window on the envelope exposed the patient’s name, address and reference to filling prescriptions for HIV medications. The notice also confirmed that a “vendor” handled the mailing.

The Legal Action Center and the AIDS Law Project of Pennsylvania, in a letter sent late last week, accused Aetna of causing “incalculable harm to Aetna beneficiaries,” violating the Health Insurance Portability and Accountability Act “as well as numerous statutory and common laws governing confidentiality of health information.”

“A number of the individuals … reported that family members and neighbors learned their confidential information regarding their use of HIV medications as a result of Aetna’s breach,” the letter said. The letter also contained a link to a redacted envelope received by a policyholder in Brooklyn, New York, which is reproduced below. In looking at the envelope, it showed portions of a letter advising customers about options “when filling prescriptions for HIV Medic .…”

The legal groups wrote on behalf of Aetna customers in Arizona, California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania and the District of Columbia. It has been reported that many customers in these states have filed complaints with regulators including with the Office of Civil Rights of the Department of Health and Human Services.

Aetna has accepted responsibility for the mistake and called it “unacceptable.” The company said it “deeply regret[ed]” the incident and apologized to affected individuals. “Regardless of how this error occurred, it affects our members and it is our responsibility to do our best to make things right.”

The risks of using traditional mail for transmitting protected healthcare information aren’t new. Several insurers have been sued by HIV patients who objected to sending healthcare information by mail because of privacy concerns.

And in 2015, Triple-S Management Corporation, a Puerto Rican insurance holding company, settled a number of alleged HIPAA privacy violations by paying $3.5 million in fines and implementing a corrective plan. Among the violations alleged by the Office of Civil Rights, the company disclosed to a third-party vendor – without use of a Business Associate Agreement to protect the information – the names of plan beneficiaries, health insurance claim numbers and insurance plan numbers, which were then printed on the outside of a pamphlet mailed to policyholders. The company was also accused of mailing protected healthcare information to the wrong policyholders, which included information about diagnostic tests.

We’ll continue to monitor this story as it develops.