You'd think if there were anyone whose health information should be protected, it would be people with HIV. Yet Aetna admits to exposing data indicative of both the HIV status and risk of thousands of its beneficiaries with a poorly designed envelope.
According to press release from the Legal Action Center in New York City and the AIDS Law Project of Pennsylvania, the leak came from a letter on pharmacy benefits Aetna sent to beneficiaries who were taking HIV medications or pre-exposure prophylaxis (PrEP), a preventive treatment, which, according to the Centers for Disease Control and Prevention (CDC), is for people "who are at substantial risk of getting" HIV infection.
In their letter to Aetna, the Center and the Project explain these letters had "a large clear window through which anyone can see not only the name and address of the intended recipient, but also information about where to purchase their HIV medication." You can see a sample envelope here.
They demand that Aetna stop sending the letters in this format and "take corrective measures to ensure that this gross breach of privacy and confidentiality never reoccurs."
They also mention that "many [affected beneficiaries] have already filed complaints with administrative agencies, such as the Office for Civil Rights of the U.S. Department of Health and Human Services and state insurance regulators," so you may be hearing more about this in Part B News compliance stories over time -- especially since NPR reports Aetna has sent out a notificiation letter -- a first step in proper HIPAA privacy breach response -- that reveals the windowed letters went out to about 12,000 people.