Health insurance giant Aetna is learning an expensive lesson following its mishandling of private health information in the summer of 2017.

Aetna has agreed to pay over $17 million to resolve privacy breach claims with approximately 12,000 of its customers after it accidentally revealed their HIV status through the windows of envelopes. In an ironic twist, the letters had been issued as part of a planned communication to customers following the settlement of two prior privacy-related lawsuits that had been filed against the company for requiring HIV patients to acquire their medications through mail-order and not allowing them to pick prescriptions up in person at pharmacies. The letters, informing patients who take HIV medications and pre-exposure prophylaxis drugs on how to fill their prescriptions, were mailed in envelopes with large plastic windows that revealed names, addresses, claim numbers, and medication instructions.

Funds from the settlement are earmarked for base payments of approximately $500 each to victims of the breach. In addition to the financial settlement, Aetna has agreed to create and enforce “best practices” regarding is mailings.

But Aetna’s pain isn’t over yet. The company also reached a separate settlement with the State of New York over the same incident, agreeing to pay its New York customers affected by the mishandled envelopes a separate settlement of over $1 million. The New York settlement also includes over 100 Aetna customers whose participation in a research study on atrial fibrillation had been revealed due to the use of similar window envelopes. The New York Attorney General also extracted from Aetna an agreement to hire an independent consultant to oversee and report on its compliance with the terms of the settlement regarding and the overhaul of its mailing practices.