PHILADELPHIA – A lawsuit against a medical company is a reminder that personal security can also be at risk in offline situations, one data security lawyer says.
A class action lawsuit has been filed against Aetna, claiming the company did not do enough to secure the privacy of those taking HIV medications.
Plaintiff and Pennsylvania resident Andrew Beckett (a pseudonym) filed the complaint in the U.S. District Court for the Eastern District of Pennsylvania on Aug. 28.
The issue that began the complaint was that “Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through mail and not allowing them to pick up their medications in person at the pharmacy.”
In a related sequence of events, Aetna was also sued in 2014 and 2015 on similar matters. However, the company settled with the plaintiffs at that time, each one receiving $24,000 and their lawyers receiving an undisclosed sum, Beckett's complaint states.
The complaint filed by Beckett indicates that the company had agreed, as part of the individual settlements, that patients would no longer be forced to have their medications delivered via mail. Yet the notices announcing this change in policy, sent to 12,000 patients, were sent out in an envelope with a glassine window, which made the purpose of the letter visible.
Thus Beckett claims that his and other patients HIV positive status was disclosed, putting them at risk for discrimination.
“The Aetna lawsuits underscore the fact that cybersecurity isn’t just about the latest and greatest technologies,” Craig A. Newman, head of the Privacy & Data Security practice at Patterson Belknap Webb & Tyler LLP in New York told the Pennsylvania Record.
“It’s the low-tech ball-drops that create enormous and unnecessary liability for companies. Here, it was about using the wrong envelope or not shielding protected health care information with a blank sheet of paper.”
Newman said it was important that companies maintain proper security habits offline as well as on.
“As we focus more on high-tech solutions to data security challenges, we can’t forget the simple things like locking file drawers, shredding sensitive documents, and making sure our vendors do the same.”
He also said it was too early in the case to know whether this was common practice by Aetna.
“It’s very early in both cases so the information available is quite limited," Newman said.
"What we know is that the complaints charge that Aetna violated the privacy rights of policyholders when the insurer mailed prescription information in an envelope with a large, clear window that disclosed instructions for filling HIV medication prescriptions.”