The wrong envelope caused Aetna to accidentally leak customers’ HIV statuses

A letter showed whether customers were taking PrEP and other HIV-medications through a transparent window.
A letter showed whether customers were taking PrEP and other HIV-medications through a transparent window.
Image: AP Photo/Jeff Chiu
We may earn a commission from links on this page.

It all could have been avoided with opaque envelopes.

On Aug. 24, STAT broke the news that Aetna, an insurance company in the US, had accidentally disclosed the HIV status of some customers living on the east coast and in Indiana.

On July 28, Aetna sent out information about pharmacy benefits using a third-party mailing vendor. This vendor used a windowed envelope (the kind typically used for bills) which in some cases shifted to show that a patient was taking medication associated with HIV. About 12,000 letters with these envelopes were put in the mail, although not all of the recipients had HIV.

According to a letter (pdf) uploaded by CNN, Aetna became aware of the privacy breach on Aug. 2.

In a press release sent out yesterday lawyers for the Legal Action Center in New York and the AIDS Law Project of Pennsylvania demanded that Aetna change the way that it sends patient information in the future.

Unfortunately, there isn’t really anything to be done for those recipients whose medications were shown through the envelope window. US postal workers delivering the letters or anyone picking up the mail that day had access to that information. So far, the lawyers say they’ve received 23 complaints from people whose HIV medications were disclosed.

Some people living with HIV are expected to live almost as long as those without it, thanks to improved medication with fewer side effects. However, the virus, which is spread in part through sexual contact or shared needles, is still heavily stigmatized. “People have been devastated. We’ve had a number of people tell us they had chosen not to disclose their HIV status to family members—but this is how their family members found out,” Sally Friedman, the director of the Legal Action Center, told STAT.

In the US, medical information is confidential between a healthcare provider and the patient (and in some cases, family members or caretakers with the patient’s consent), per the Health Insurance Portability and Accountability Act (HIPAA). However, there is no standard for what kinds of envelopes need to be used when mailing this information. In 2015, there were at least four separate instances of medical information being exposed through mailing envelopes that were not opaque.

Aetna apologized profusely in a subsequent letter sent to customers, and told recipients that they have the right to file complaints with the Office of Civil Rights in the Department of Health and Human Services. There’s no word on the vendor responsible for the mistake, but we’re guessing they won’t be working with Aetna in the future.