The health insurer Aetna is under fire for mailing letters that inadvertently disclosed that at least some of the 12,000 recipients were taking HIV medications, thanks to text visible through the envelopes’ windows.
The letters, which were sent earlier this summer, are a privacy breach, according to the Legal Action Center, a nonprofit law organization that advocates for people with HIV and AIDS, and the AIDS Law Project of Pennsylvania. On Thursday, the groups said they had asked Aetna to stop sending the letters and to correct its practices to prevent similar situations from happening again.
In the case of one such envelope, posted online by the groups, the words “filling prescriptions for HIV” can be seen through the window.
These letters were sent to about 12,000 Aetna members, Aetna spokesperson T.J. Crawford told BuzzFeed News. It is unclear how many of these showed private information through the envelope window.
Sally Friedman, legal director of the Legal Action Center, said that before Thursday, her group had received complaints from 23 people across nine states. Those people were taking medications for HIV treatment or prevention.
“It’s extremely harmful on many levels to people who received the mail,” Friedman told BuzzFeed News. “Young adults who have had their parents learn their HIV status this way, it’s been absolutely devastating to them.” She said she’s also heard from a person who had been kicked out of his home because of the letter, and another who felt “suicidal.”
One letter went to Edgar, a 26-year-old in Austin, Texas, who requested to withhold his last name to protect his privacy. As he recalled, his older sister handed him the envelope, asking, "Is there something you want to tell me?"
Edgar is gay and taking the HIV prevention medication known as PrEP, or pre-exposure prophylaxis. "I had to have the conversation with her about what is PrEP and why there's gay men who take it," he told BuzzFeed News. "It was an awkward situation. Here my family might possibly think I'm HIV-positive." Even though that wasn't the case for him, he added, "It was still a scare for them."
“We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members,” Aetna said in a statement. “This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again.”
The July 28 letter that kicked off the debacle informed patients of a change in their pharmacy benefits and access to medications, according to a separate letter Aetna sent this week to notify patients of the privacy breach. Aetna became aware of the problem three days later.
In its latest letter, Aetna noted that the information displayed in the window was the patient’s “first name, last name, address, and in some cases, a reference to filling prescriptions for [certain] medications.” It added, “The viewable information did not include the name of any particular medication or any statement that you have been diagnosed with a specific condition.”
Shown this latest letter by BuzzFeed News, Friedman said it doesn’t matter whether a specific medication or condition was named.
“HIV is a highly stigmatized illness,” she said. “So even though it would be completely illegal and outrageous for this to have happened with some other type of medication or condition, the fact it’s HIV information makes it so highly stigmatized and painful for those involved.”
She added that this incident could foster mistrust between health care institutions and people who need help but may be afraid of seeking it. “I think this is harmful for patient privacy rights generally,” she said.
On Monday, a class-action lawsuit was filed against Aetna on behalf of an anonymous man who blamed the letter for his sister learning that he was taking HIV medication. The complaint was filed by the Legal Action Center, the AIDS Law Project of Pennsylvania, and the law firm Berger & Montague in the U.S. District Court for the Eastern District of Pennsylvania, demanding that Aetna cease sending the letters, reform its procedures, and pay damages. Aetna declined to comment.
On Friday, the New York Attorney General’s office told Aetna by email that the breach was “unacceptable” and appeared to violate both federal and state patient privacy laws. The office asked for an in-person meeting with an Aetna representative in the coming week. It also asked for information about how many New Yorkers were affected, Aetna’s patient privacy policies, how the breach happened, and how Aetna is correcting the situation.
This story has been updated with an interview with a man who received one of the letters from Aetna.
Stephanie Lee is a senior technology reporter for BuzzFeed News and is based in San Francisco.
Contact Stephanie M. Lee at email@example.com.
Got a confidential tip? Submit it here.