Aetna has agreed to pay HHS' Office for Civil Rights $1 million to resolve alleged HIPAA violations stemming from three separate incidents the health insurance giant reported in 2017, the agency said Wednesday.
Aetna has been a subsidiary of CVS Health since 2018.
Aetna in April 2017 discovered that two web services the company used to display plan-related documents to members were accessible to view online without log-in credentials and were subsequently indexed by internet search engines. Just over 5,000 members had their names, insurance identification numbers, claim payment amounts and other information exposed.
In July of that same year, Aetna mailed benefit notices to members through which the words "HIV medication" could be seen through windows in the envelopes used to display addresses.
Nearly 12,000 members had health information exposed as part of the mailing error.
Finally, in September 2017, Aetna reported another mailing incident, in which a research project related to atrial fibrillation mailed letters to members containing the logo and name of the research study in which the members were participating on the envelop. In total, 1,600 members were affected in that data breach.
OCR in its investigation into the three data breaches determined that Aetna hadn't implemented procedures to limit health data disclosure and didn't have appropriate administrative, technical and physical safeguards in place to protect the privacy of members' health data.
"When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure," said OCR Director Roger Severino in a statement. "Unfortunately, Aetna's failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement."
In addition to the monetary settlement, Aetna will implement a corrective action plan that includes HHS monitoring the insurer's compliance with HIPAA for two years.
"Protecting our members' privacy is a responsibility we take very seriously," a CVS Health spokesperson said in an emailed statement. "These incidents occurred prior to Aetna becoming part of CVS Health, and did not involve any of the company's other businesses. We have since updated our processes and procedures to further protect member information and are working cooperatively with OCR to further enhance our policies related to privacy and security."