Aetna’s Failure to Respect HIV Patient Privacy

Most of us believe that our medical and health information is private and that it should be protected from disclosure without our knowledge or consent. This is especially true, where we may not want others, such as our family, friends, roommates, landlords, neighbors, co-workers, mail carriers, or even complete strangers, to know about a health disorder or condition which may be potentially embarrassing or misunderstood. In recognition of this expectation of privacy, many states and the federal government have enacted strict privacy laws, protecting against the release or misuse of a person’s sensitive medical information. For instance, Congress passed the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), regulating the use and disclosure of Protected Health Information (“PHI”) by healthcare plans and providers, including health insurance companies. Similarly, Pennsylvania has enacted laws prohibiting the disclosure of patients’ confidential health information, including the disclosure of confidential HIV related information. 35 P.S. § 7602(a).

That is why, when Aetna Insurance Co. inadvertently exposed the HIV status of up to 12,000 patients in 23 states, Pennsylvania legal groups quickly responded by filing a class action lawsuit against the company. In the lawsuit, they alleged that Aetna has repeatedly failed to respect the privacy rights of people who are taking HIV-medications, twice before in 2014 and 2015, and most recently, when the company sent envelopes with large transparent glassine windows to their customers’ homes and workplaces, through which the phrase “…Aetna health plan when filling prescriptions for HIV Medic…” could be clearly read.

According to the lawsuit, due to the extreme social stigma and discrimination faced by people living with HIV and AIDS, thirty-nine states, including Pennsylvania, have enacted either HIV-specific privacy statutes or general privacy provisions that expressly mention HIV, hoping to encourage people to be tested and treated for HIV without fear of interference with their privacy or safety. Yet the class action claims that in 2014 and 2015, Aetna was sued in two lawsuits, alleging that Aetna illegally required its insureds to obtain HIV medication solely through the mail, rather than allowing them to obtain their medications in person at a retail pharmacy. This requirement, the prior lawsuits asserted, was fraught with privacy concerns associated with being required to receive HIV medications through the mail. Both lawsuits were quietly settled out of court, and as part of the settlement agreement, Aetna agreed to send out notices to former and current members of Aetna health plans who had submitted claims for coverage for their HIV medication. Afterwards, however, Aetna allegedly hired a third-party vendor, instructing the vendor to send out these notices, each of which clearly identified Aetna’s customers as people taking HIV medications. According to the class action suit, Aetna never sought a court order allowing it to disclose this information to its vendor, and never presented the court with a “compelling need” or justification for making these disclosures to the vendor, as is required under Pennsylvania law.

Thus, when this third-party vendor sent out thousands of notices in July and August of 2017, using the above mentioned transparent envelopes, the HIV status of the plaintiffs in the class action suit was exposed. For instance, the lawsuit claims that the HIV status of the lead plaintiff in the case (identified by the pseudonym “Andrew Beckett”, due to privacy concerns) was exposed to his sister’s fiancée, when the fiancée saw the letter addressed to the plaintiff from Aetna, providing instructions on how to fill his prescription for HIV medication. The fiancée immediately told the plaintiff’s sister, who then approached the plaintiff, forcing the plaintiff to make the unexpected and uncomfortable disclosure that he was taking medicine to protect himself from getting HIV. This conversation, according to the lawsuit, led to further embarrassing and invasive discussions regarding why the plaintiff needed to protect himself, which activities put him at risk for exposure and other topics of an extremely intimate nature. Ultimately, these discussions resulted in a change in the nature of the relationship between plaintiff and his sister, as well as similar difficulties for the thousands of other plaintiffs in the class action, all of which could have been avoided had Aetna simply used a non-transparent envelope to convey this sensitive health information.

The class action suit, thus, alleged breaches of the Pennsylvania Confidentiality of HIV-Related Information Act, Pennsylvania Unfair Trade Practices and Consumer Protection laws, and HIPAA, as well as claims for negligence, breach of contract, invasion of privacy, and unjust enrichment against the Aetna defendants. It remains to be seen what, if any, recourse the plaintiffs will have going forward, but it is improbable that any action that Aetna may take will undo the damage done to the lives, relationships, and reputations of up to 12,000 individuals and their communities.