Health insurer, Aetna, has recently come under fire for potentially revealing the HIV status of thousands of customers. The company has apparently mailed letters containing information in regards to ordering of HIV prescription drugs using envelopes with clear windows – through which the contents were visible.

The company sent out the letters on the 28 July 2017 to approximately 12,000 individuals; but it is unclear exactly how many were impacted – considering it depends on how the letter was positioned in the envelope. Aetna has since issued an official statement that reads, "We sincerely apologise to those affected. This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again."

Text visible through a small window on the envelopes, which Aetna mailed out to approximately 12,000 people, listed the patients’ names and suggested a change in how they would fill the prescription for their treatment for the virus. Photo credit: AIDS Law Project of Pennsylvanias
Text visible through a small window on the envelopes, which Aetna mailed out to approximately 12,000 people, listed the patients’ names and suggested a change in how they would fill the prescription for their treatment for the virus. Photo credit: AIDS Law Project of Pennsylvanias

The Legal Action Centre in New York City and the AIDS Law Project of Pennsylvania have sent a sent a “cease-and-desist” letter to Aetna, stating that the privacy breach caused "incalculable harm to Aetna beneficiaries."

"Aetna's privacy violation devastated people whose neighbours and family learned their intimate health information," said Sally Friedman, legal director of the Legal Action Centre. "They also were shocked that their health insurer would utterly disregard their privacy rights."

Unfortunately, breaches in healthcare are all too common. As a matter of fact, the healthcare industry ranks 9th when compared to the other industries in terms of overall security. Just this year, the global ransomware attack, WannaCry, revealed just how unprotected hospital computer systems are.

Global impact: The two biggest breaches in health information were with health insurance companies

In January 2015, Anthem Blue Cross, one of the largest health insurance companies in the world, suffered the biggest breach in healthcare data history. The records of 78.8 million patients were stolen and included highly sensitive data such as names, home addresses, dates of birth, income figures and social security numbers. Even employee data was breached.

The company assured customers that no health data was taken and provided free credit monitoring and identity protection services to those who were affected. There has been no evidence that any of the stolen data was used to commit fraud, nonetheless. More than 100 lawsuits were filed against the company and on 23 June 2017, it was announced that Anthem would pay USD115 million – the largest settlement ever for a data breach.

In 2012, like Aetna, Anthem too used envelopes with windows through which customer’s Social Security Numbers could be seen, compromising 33,000 patients.

Under the same umbrella group; but, a different company – Premera Blue Cross also faced a mass cyber-attack, which exposed the medical information of 11 million customers. As well as names, numbers and dates of birth, information such as bank account numbers, social security numbers and claims information were also stolen, just six weeks after Anthem’s exposure.

The records of employees from some of America’s largest business’s such as Amazon, Starbucks and Microsoft were also stolen. Dave Kennedy, the chief executive of IT security consultants company, TrustedSec LLC remarked, “Medical records paint a really personal picture of somebody’s life and medical procedures. They allow you to perpetrate really in-depth medical fraud.” Premera have also been hit by a number of lawsuits.

What enforcements are in place?

In the US, breaches that affect the public in this way fall under the Health Insurance and Probability Act, which sets money penalties and establishes procedures for investigations and hearings for any violations.

As of 2013, the Department of Health and Human Resources has investigated over 19,306 cases. Most were resolved by requiring changes in the practice of privacy or by corrective action, which are demanded only when the government detects noncompliance by the company.

In the UK, the Information Commissioner’s Office (ICO) is responsible for ensuring information is protected and when it is not, that action is taken. For serious breaches, there are fines, currently up to GBP500,000, enforcement notices, ‘stop now’ orders for when the individual or group behind the breach is identified, undertakings that commit businesses to a particular course of action following a breach and criminal prosecution.

Although firms are required to notify the ICO of a data breach, they can perform audits without warrants. Insurance firms are also obliged to establish and maintain systems that help protect private data.

Malaysia on the other hand, set up The Malaysian Medical Council's Confidentiality (MMC) Guidelines in 2011 and the Personal Data Protection Act (PDPA) in 2010. The PDPA is enforced by the Commissioner of the Department of Personal Data Protection and has the power to carry out inspections and investigations.

They can also serve enforcement notices to organisations in the event of a breach – and guide them on steps that they should now take. Should they suspect a group or individual of a breach, they can seize computers, documents and equipment and arrest people in such cases with or without a warrant. MIMS

Read more:
Data breach of Australia’s Medicare exposed, EHR safety concerns raised
Ensuring the safety of digital healthcare
Digital healthcare necessitates improved cyber security and a prepared society