Aetna Pays $1 Million to HHS to Resolve Allegations of HIPAA Violations

  • The Office of Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) reached a settlement agreement with Aetna Life Insurance Company and related entities (collectively “Aetna”) to resolve alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.
  • According to the resolution agreement, Aetna submitted breach reports about three separate incidents to the OCR. The first involved two web services that displayed plan-related documents to health plan members without requiring login credentials, which were later indexed on online search engines. This breach resulted in the disclosure of over 5,000 individuals’ protected health information. The other two breach reports related to physical mail in which protected health information, including information relating to recipients’ HIV status, was visible without opening the mailing’s envelope.
  • Under the terms of the resolution agreement, Aetna will pay $1 million to HHS, develop a corrective action plan to strengthen its information safeguards, including developing and implementing written policies and procedures to comply with HIPAA’s privacy and security standards, executing staff training reforms, and submitting annual compliance reports, among other things.
  • As previously reported, Aetna also reached settlements with state AGs to resolve allegations stemming from the same incidents.