Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Yet Another Twist in Messy Aetna Privacy Breach Case
Health Insurer Sues Organizations That Represented HIV Patients in Earlier Privacy DisputeA messy legal case involving a 2017 privacy breach that has already cost Aetna about $20 million in settlements has taken yet another twist. The health insurer has filed suit against two more organizations in an attempt to recoup some of its breach-related costs. Those organizations represented plaintiffs in another privacy-related dispute.
The insurer's latest legal maneuver comes after it sued a third organization in another effort to get financial relief for breach-related expenses.
A Lengthy Saga
The saga began when Aetna settled a 2014 class action lawsuit by agreeing to provide its plan members options for how they can fill their HIV prescriptions - including in person at retail pharmacies - in order to help protect the patients' privacy. Aetna has originally required the drugs be filled by mail order.
Attorneys for plaintiffs in that 2014 case argued the filling of HIV prescription drugs by mail order left the privacy of patients' HIV status vulnerable to exposure to family, neighbors and others.
The privacy breach at the center of the most recent legal dispute occurred during a 2017 mailing of letters to about 12,000 Aetna plan members in several states to inform them of the new options for filling their HIV prescriptions. Ironically, the members' HIV drug information was potentially visible through that mailing's envelopes, which had transparent windows.
Lots of Legal Actions
Aetna in January settled two lawsuits related to that mailing mishap. That includes a $17.2 million settlement in a class action lawsuit filed against the company and a $1.15 million settlement with the New York state attorney general's office.
In both of those settlements, Aetna also agreed to beef up protections to ensure the privacy of personal health information and personally identifiable information in mailings.
In the month after those two settlements, Aetna filed a lawsuit against Kurtzman Carson Consultants, a class action settlement administrator company that Aetna says directed the mailing to the health plan members in which the HIV medication information was visible through windowed envelopes.
Among other allegations, Aetna claims that KCC did not advise Aetna or its counsel that it intended to use a window envelope to mail the notice to Aetna's health plan members.
The Latest Twist
But in the latest legal twist in the saga, Aetna on May 23 filed a lawsuit against Whatley Kallas LLP, a Colorado law firm, and Consumer Watchdog, a California-based nonprofit advocacy group. Those two entities represented plaintiffs in the original 2014 suit against Aetna seeking changes in how the health insurer allows HIV patients to fill HIV drug prescriptions.
Among several lawsuits still ongoing against Aetna for the mailing mishap is a class action lawsuit filed in October 2017 by Whatley and Consumer Watchdog, who are again representing the same John Doe plaintiffs who brought the original 2014 lawsuit against Aetna.
Aetna's latest legal complaint argues that Whatley and Consumer Watchdog should bear some of the breach-related expenses that the insurer faces because they proposed using KCC to serve as the settlement administrator for the 2014 lawsuit settlement. The complaint also asserts that Whatley was a party to KCC's proposal for the mailing to Aetna members concerning the change in options for filling HIV medication prescriptions.
"Shortly after an amended [mailing] proposal was sent to Whatley and Aetna's former outside legal counsel, Whatley demanded that Aetna's outside legal counsel immediately produce confidential PHI of the [Aetna plan] members to KCC," Aetna's new complaint alleges.
On July 28, 2017, "notwithstanding the [mailing] proposal's specific reference that non-windowed envelopes would be used to mail the notices, KCC improperly mailed the notices to members using envelopes with see-through address windows, even though KCC knew, or should have known, that they were handling confidential PHI," Aetna alleges.
Aetna also alleges, among other things, that Whatley and Consumer Watchdog did not review the final proofs of the envelopes that would be used in the mailings.
10 Lawsuits Filed
So far, 10 lawsuits have been filed against Aetna or Aetna-related entities alleging harm and damages purportedly caused by the mailing incident, Aetna states. In addition to those lawsuits, "several state attorneys general, as well as the U.S. Department of Health and Human Services, have opened up investigations into the incident," the health insurer says.
In its complaint against Whatley and Consumer Watchdog, Aetna contends that it would not have been sued by certain of its members "but for the acts, errors, omissions and negligence" of Whatley and Consumer Watchdog.
Aetna is seeking damages of not less than $20 million. It is also asking that Whatley and Consumer Watchdog hold the insurer harmless "from all liability, damages, settlements, fines, penalties, payments losses, costs, judgments, expenses and attorneys' fees in connection with the [mailing] incident".
Response to Latest Lawsuit
In a May 22 joint letter to Aetna's attorneys posted on Consumer Watchdog's website, Whatley and Consumer Watchdog write: "It is clear Aetna has absolutely no evidentiary support for its spurious claim against ... Consumer Watchdog and Whatley Kallas LLP."
The letter continues: "Aetna would be well advised to focus on remediation of its privacy practices on a nationwide basis ... instead of pursuing abusive and retaliatory tactics that seek to evade liability for its own failings and suggest that Aetna still does not take responsibility for ensuring that its customers' private medical information is protected."
Vendor Management Lessons
This increasingly complicated legal saga offers critical lessons to other healthcare organizations and their vendors.
"Any one of the parties involved could have raised a red flag, but no one did."
—Stephen Wu, Silicon Valley Law Group
"The key lesson here is that all parties involved in a communication of sensitive information should exercise independent judgment about the proposed communication and review its particulars before it goes out," says privacy attorney Stephen Wu of the law firm Silicon Valley Group, who is not involved in the case. "Any one of the parties involved could have raised a red flag, but no one did."
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says the Aetna saga provides a "teachable moment."
"Whether an organization is preparing a single letter for mailing or hiring a contractor to produce and send materials as part of a large mailing to a number of people, there must be a quality control process in the design, production and delivery of the finished product," he stresses.
"When outsourcing some or all of mailing production, make sure prospective vendors can meet your requirements for appropriately handling sensitive information like PHI, have a plan to ensure that the legal and regulatory requirements for privacy and security are met and will execute a business associate agreement."
Passing Blame?
So, in its recent legal actions, is Aetna is trying to pass blame for the mailing mishap to others?
"Yes, but Aetna has a point," Wu says. "When you read the contract at issue, it was between the settlement administrator service company and the law firm representing the plaintiffs. The proposal contained a specification for windowed envelopes. If the law firm were on top of things, that specification should have raised a red flag. And no one at the law firm caught it. The [contract] backs Aetna's version of the facts, although Aetna and its counsel should have been involved in the process, as well."