$1 Million Settlement for HIPAA Violations is Cautionary Tale


By: Amy Bender

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that insurance giant Aetna will pay $1,000,000 to settle HIPAA violations stemming from the following three disclosures of nearly 19,000 plan members’ protected health information (PHI):

  • Two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and indexed by various internet search engines
  • Benefit notices were mailed to members using window envelopes that displayed the words “HIV medication”
  • The envelope of a research study mailing that was sent to members contained the name and logo of the atrial fibrillation (irregular heartbeat) study in which they were participating

OCR determined that Aetna had committed the following HIPAA breaches:  

  • Impermissible disclosures of PHI
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security PHI
  • Failure to implement procedures to verify that a person or entity seeking access to PHI is the one claimed
  • Failure to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure
  • Failure to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI

In addition to paying the hefty fine, Aetna must implement a corrective action plan that includes implementation of, distribution of, and workforce training on written policies and procedures relating to privacy of PHI.

A copy of the settlement agreement and corrective action plan is posted on OCR’s website, available here.

This settlement is yet another reminder to HIPAA-covered entities to be vigilant in maintaining the privacy of PHI. Violations can be costly and result in negative publicity. Freeman Mathis & Gary’s Data Security, Privacy & Technology practice group can assist your organization with implementing data security policies and procedures, other preventative measures, and remedial efforts following a data breach. Please contact Amy Bender at for more information.