Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

October 30, 2020

Privacy breach costs Aetna $1 million 

Photo | Contributed Aetna’s Hartford headquarters.

A website snafu and envelope mishaps that allowed potential access to patient data have cost Hartford health insurer Aetna $1 million in fines, the U.S. Department of Health and Human Services (HHS) announced Thursday. 

The three incidents cited were all in 2017 and involved potential violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. 

The insurer was penalized for allowing the display on two web services of documents containing patient information including names, insurance identification numbers, claim payment amounts, procedure service codes and dates of service. A total of 5,002 people were affected.  

A second report found that 11,887 patients were potentially exposed to another data breach involving documents sent in window envelopes. Some customers complained that the words "HIV medication" could be seen in the window below the member's name and address. 

A related breach in the same year displayed the name and logo of an atrial fibrillation (irregular heartbeat) research study on the envelopes of 1,600 customers.  

Aetna agreed to pay the penalty to the HHS’s Office for Civil Rights (OCR).

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

A recent report from the Connecticut Insurance Department found that Aetna shed 80,085 enrollees, or 20% of its total Connecticut customers across its HMO and traditional indemnity plans last year. Aetna was acquired by CVS Health for $69 billion in late 2018.

Sign up for Enews


Order a PDF