Aetna agreed to pay the Office for Civil Rights $1 million to settle three separate HIPAA violations, HHS said Oct. 28.
Five things to know:
1. The breaches all took place within a six-month period in 2017 and affected nearly 18,500 members.
2. The first took place in April 2017. Aetna found two web services that displayed plan-related documents allowed those documents to be accessible without login credentials. Aetna said 5,002 individuals were affected by the breach, which disclosed names, insurance identification numbers, claim payment amounts, procedure service codes and dates of service.
3. The second took place in July 2017. Aetna mailed members benefit notices in which members' names, addresses and the words "HIV medication" could be seen through envelope windows. Aetna said 11,887 individuals were affected by the breach.
4. In September 2017, Aetna mailed a research study to members. The mailing contained the name and logo of the atrial fibrillation, or irregular heartbeat, research study in which they were participating. Aetna said 1,600 individuals were affected by the breach.
5. Aetna agreed to adopt a corrective action plan as part of the insurer's settlement.