Aetna mails it in

Sometimes an envelope and poorly thought out patient privacy procedures are all you need for a data breach, as Aetna discovered last summer. The insurance company was, no joke, sending out letters in response to a previous privacy violation, notifying patients who took the HIV preventative PrEP about changes to ordering the medication. So they put this information in an envelope with a nice, oversized window where you can see the patient’s name and a reference to HIV prescriptions. That’s a patient privacy nightmare for any condition, and it’s made worse due to the stigma still surrounding the virus.  Aetna agreed to pay $17M to the patients last Wednesday, which will presumably come in the form of checks with the memo “We’re sorry about telling everyone about your HIV status.”