Provided by:  Jennifer Kirschenbaum, Esq.

August 19, 2020


We all make mistakes.  Mistakes related to protecting to protected health information can be costly.  Aetna settled with the Office for Civil rights for $1mil over 3 self-made breach reports.  (1) Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and indexed by various internet search engines. (2) Aetna became aware that benefit notices were mailed using window envelopes. Shortly after the mailing, Aetna began receiving calls and emails from members who had received the benefit notice complaining that the letter could be shifted within the envelope in a manner that allowed the words “HIV medication” to be seen through the envelope’s window below the member’s name and address.  (3) A research study mailing sent to Aetna plan members contained the name and logo of the research study in which they were participating, on the envelope.

OCR determined 

  1. Aetna failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of protected health information (PHI) (see 45 C.F.R. § 164.308(a)(8)); B.
  2. Aetna failed to implement procedures to verify that a person or entity seeking access to PHI is the one claimed (see 45 C.F.R. § 164.312(d)); 2 C.
  3. Aetna impermissibly disclosed the PHI of 18,489 individuals in total across three separate breaches (see 45 C.F.R. § 164.502(a));
  4. Aetna failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure (see 45 C.F.R. § 164.514(d));
  5. Aetna failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI (see 45 C.F.R. § 164.530(c)).
While many of us do not operate on the scale of an "Aetna", we are required to implement proper HIPAA protections similar to the requirements OCR holds Aetna to.   To discuss HIPAA compliance and your practice's Security Risk Assessment, set a time with Taryn ( for a consultation, which is free of charge.