Aetna Agrees to $17M Settlement in HIV Privacy Data Breach
Aetna agreed to settle a $17 million class action lawsuit involving a data breach that exposed HIV information on over 12,000 individuals.
Source: Thinkstock
By - Aetna has agreed to pay $17,161,200 in a settlement involving allegations that the payer exposed private HIV information for more than 12,000 beneficiaries.
The final terms of the settlement require Aetna to break up the total settlement amount into payments of either $75 or $500 to beneficiaries whose protected health information (PHI) was allegedly improperly disclosed. Beneficiaries affected by the alleged breach are guaranteed financial compensation amounts depending upon the severity of each member’s privacy breach.
The settlement comes six months after the first reports of the data breach, when beneficiaries received letters that had large transparent window envelopes revealing confidential HIV-related information. The plaintiffs of the settlement were led by Andrew Beckett (a pseudonym), one of the individuals whose information was exposed. The envelope revealed data about his pre-exposure prophylactic (PrEP) treatments for HIV.
Attorneys involved in the settlement believe that the agreement reinforces the importance of protecting sensitive data and protecting beneficiaries with stigmatized health conditions from potential discrimination.
“The fear of losing control of HIV-related information and the resulting risk of discrimination are barriers to health care,” Ronda B. Goldfein, executive director of the Philadelphia-based AIDS Law Project of Pennsylvania, and member of the Co-Lead Settlement Counsel, said.
“This settlement reinforces the importance of keeping such information private, and we hope it reassures people living with HIV, or those on PrEP, that they do not have to choose between privacy and health care.”
The details of the settlement included additional actions Aetna must take as well as administrative guidelines for distributing settlement payments.
Aetna will implement a “best practices” policy along to prevent similar incidents from occurring in the future, and will use settlement funds to pay for attorneys’ fees and expenses.
Settlement Class Members can additionally submit a claim documenting either financial or nonfinancial damages to seek further compensation.
“Claimants may receive up to $10,000 for financial harm as calculated by the Settlement Administrator and up to $10,000 for non-financial harm as calculated Administrator, for a total maximum of up to $20,000 in addition to the minimum base payments,” the document explained.
A third-party administrator will receive no more than $180,000 to deliver settlement payments to the appropriate plaintiffs.
Legal organizations involved in the settlement praised the outcome of the settlement and believe that it may provide a larger warning to healthcare organizations that fail to protect beneficiaries’ PHI.
“The settlement provides a fair and just way to compensate class members for their harm while also requiring practice changes to prevent future breaches,” Sally Friedman, legal director of the New York City-based LAC said. “The settlement’s magnitude will help restore the dignity and voice of those affected.”
“[The outcome of the settlement is] a very significant resolution for all those affected and a landmark settlement in the area of protecting consumers’ health information and privacy,” added Torin A. Dorros, managing attorney of Dorros Law.
