Aetna pays $1M to settle three HIPAA breaches
by Sara Nguyen
In 2017, Aetna reported three breaches to OCR.
- In April 2017, Aetna exposed documents without login credentials which were subsequently indexed by search engines, exposing 5,002 individuals’ protected health information (PHI).
- In July 2017, Aetna sent letters with window envelopes. Besides displaying the name and address, they also showed private medical information. This breach affected almost 12,000 people.
- In September 2017, Aetna was conducting a research study and sent information to participants in the mail. The envelope contained the name and logo of the research study, which was an impermissible disclosure. 1,600 individuals were affected.
What did OCR conclude?
After investigating the incidents, OCR concluded that Aetna failed to evaluate its electronic PHI (ePHI) security.
Aetna also didn’t verify who was accessing ePHI, limit PHI disclosures to the minimum necessary, or have the proper safeguards to protect PHI.
“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement,” said OCR Director Roger Severino in a press release.
How can you prevent this from happening to you?
You can never put in too many safeguards to protect PHI. One of the grave mistakes that Aetna made was not identifying and mitigating security risks.
Besides technology breaches, the Aetna incident shows that HIPAA violations can occur even through traditional mail. It’s essential to keep paperwork as safe as your IT systems.
Mail is not as private as you think. Anyone can read the envelope, or even open it, and obtain PHI or other information contained in the letter. No level of security can prevent that from occurring.
Consider communicating with patients through secure, HIPAA compliant email instead of traditional mail.
Paubox Email Suite encrypts all outbound email by default, ensuring that only the intended recipient receives your message.
Our solution is straightforward to use and integrates with Google Workspace, Microsoft 365, and Microsoft Exchange. Emails are delivered directly to your recipients’ inboxes; they don’t need to use portals, plugins, or apps to securely read your message.
Stop using snail mail and start using email. You could save yourself a million dollars in fines.