What happened?In 2017, Aetna reported three breaches to OCR.
- In April 2017, Aetna exposed documents without login credentials which were subsequently indexed by search engines, exposing 5,002 individuals’ protected health information (PHI).
- In July 2017, Aetna sent letters with window envelopes. Besides displaying the name and address, they also showed private medical information. This breach affected almost 12,000 people.
- In September 2017, Aetna was conducting a research study and sent information to participants in the mail. The envelope contained the name and logo of the research study, which was an impermissible disclosure. 1,600 individuals were affected.
What did OCR conclude?After investigating the incidents, OCR concluded that Aetna failed to evaluate its electronic PHI ( ePHI ) security. Aetna also didn't verify who was accessing ePHI, limit PHI disclosures to the minimum necessary, or have the proper safeguards to protect PHI. "When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna's failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement," said OCR Director Roger Severino in a press release. On top of the fine, Aetna will also take part in a two-year corrective action plan to prevent further HIPAA violations .
How can you prevent this from happening to you?You can never put in too many safeguards to protect PHI. One of the grave mistakes that Aetna made was not identifying and mitigating security risks. SEE MORE: Anthem Settles with 44 States for Additional $40M Over 2015 Breach Besides technology breaches, the Aetna incident shows that HIPAA violations can occur even through traditional mail. It’s essential to keep paperwork as safe as your IT systems. Mail is not as private as you think. Anyone can read the envelope, or even open it, and obtain PHI or other information contained in the letter. No level of security can prevent that from occurring. Consider communicating with patients through secure, HIPAA compliant email instead of traditional mail. Paubox Email Suite encrypts all outbound email by default, ensuring that only the intended recipient receives your message. SEE MORE: Paubox Customers Automatically Upgraded to TLS 1.3 Our solution is straightforward to use and integrates with Google Workspace , Microsoft 365 , and Microsoft Exchange. Emails are delivered directly to your recipients’ inboxes; they don’t need to use portals, plugins, or apps to securely read your message. Stop using snail mail and start using email. You could save yourself a million dollars in fines.
Try Paubox Email Suite for FREE today.