
Aetna accidentally exposed customer HIV statuses in clear envelope windows - justin66
https://www.washingtonpost.com/news/morning-mix/wp/2017/08/25/aetna-accidentally-exposed-customer-hiv-statuses-in-clear-envelope-windows/
======
bridanp
This is the kind of thing that induces panic attacks in my business because so
much time is spent on the look and feel of any letter going out to customers,
and so little time is spent on the finished product (ie QA process for the
letter in the envelope). It's probably not a matter of the company being evil
(although Aetna could probably be described that way at times). It's more than
likely 1) the lack of proper procedure in place regarding mass mailing, 2) the
lack of a standardized Quality Assurance program, and/or 3) a 3rd party was
contracted out by Aetna to do the mass mailing and they you could probably
wrap back through #1 and #2 for them as well.

None of scenarios can diminish just how awful this is of course. There are
some things you can get wrong on that envelope that are bad, but not really
livelihood threatening. This is life changing for a huge number of people I'm
sure, and the companies involved should be held accountable for the breach.

~~~
jacquesm
> 3rd party was contracted out by Aetna to do the mass mailing and they you
> could probably wrap back through #1 and #2 for them as well.

To contract this out would be a terrible breach of protocol.

~~~
MaxfordAndSons
>To contract this out would be a terrible breach of protocol.

That's false. HIPPA covered entities are allowed to engage contractors, who
are allowed to handle protected health information (they also must comply with
HIPPA, of course).

Source: have worked for an HIO (health information organization, a type of
HIPPA compliant contractor), and [https://www.hhs.gov/hipaa/for-
professionals/faq/547/to-what-...](https://www.hhs.gov/hipaa/for-
professionals/faq/547/to-what-extend-does-hipaa-allow-third-parties-to-access-
information/index.html)

~~~
jacquesm
You are 100% correct, I messed that up. What came to mind was the likes of
Sendgrid or Mailchimp. Apologies and thank you for the correction.

------
chimeracoder
Note that the USPS also scans and stores images of the front and back of all
mail it delivers, even if you don't opt in for their digital delivery
service[0]. So this means that the USPS - and anybody else with access to
their images, which includes law enforcement - now knows the HIV status of
these people.

[0] [http://www.nytimes.com/2013/08/03/us/postal-service-
confirms...](http://www.nytimes.com/2013/08/03/us/postal-service-confirms-
photographing-all-us-mail.html)

~~~
ianmiers
Scarier point: USPS probably knows without that. If these letters are sent out
in batches and the envelopes/timing/vender is unique, then all it takes is
knowing that 1 letter is abut HIV and then you know all of them are without
ever seeing the content.

~~~
SomeStupidPoint
At USPS scale, wouldn't the density of the letters versus public statistics on
disease prevalence be a strong indication?

------
mabbo
Oh neat, I just signed up for Aetna (first time working in America since ACA).

Is this normal for them? Am I an idiot?

~~~
sqeaky
You shouldn't be downvoted for normal and reasonable questions, or even for
self doubt.

Aetna is terrible. The lobby against healthcare reform at every turn. They
didn't want obamacare/ACA they didn't want to compete accross state lines,
they want to be able to exempt people from pre-existing conditions, they want
to give people the run-around.

They are not trustworthy and they are run by bad people. (don't beat up on
their phone agents though, they are just trying to make ends meets).

~~~
mabbo
Awesome. I can't change my decision for another year, and then only to Blue
Cross. Are they also terrible?

~~~
nsxwolf
Right now I'm on the hook for 5 figures with BC/BS for my son's birth
expenses, because HR screwed up his application. It's a Kafkaesque byzantine
labyrinth of red tape and buck passing. I'm not sure they're evil, just
bureaucratic.

~~~
sjg007
I think that should be covered under the mom's insurance at least for 30 days
post birth (at least in California). I could be wrong..

~~~
nsxwolf
It is for sure, but it's tough getting them to do what they're supposed to do.

------
dqv
Wow, this is actually something I consider when sending letters to my clients.
I don't ever want to "leak" their info, even if it's not really considered
sensitive.

I always assume the top third to be "compromised", only putting the private
contents in the lower two thirds or on the back.

I wonder why they don't have the mailing rule of the top third as a written
policy.

~~~
ThrustVectoring
A cost/benefit analysis of "put all HIPAA-relevant information inside an
opaque envelope" probably comes out ahead if it prevents one issue like this.

Hell, make the envelope a specific color to make it really obvious that you've
done things correctly.

~~~
chimeracoder
> A cost/benefit analysis of "put all HIPAA-relevant information inside an
> opaque envelope" probably comes out ahead if it prevents one issue like
> this.

To be pedantic, the patient's name and address are both considered PHI under
HIPAA.

The way that most insurers deal with this is by mailing an envelope that has
no obvious information on the outside about the sender (it has a return
address that's usually a PO box somewhere in the midwest, but not the
company's name). So without opening it, you can't tell that the piece of mail
relates to medical information.

Banks do this as well when mailing things like credit cards, to make it less
obvious to a would-be interceptor of the mail that there's something valuable
inside. (Of course, the deliberate inconspicuousness of it is itself
conspicuous, but that's another problem).

------
pluma
Does the US not have standardized letter and envelope sizes?

In Germany we have standards for paper sizes, window placement and the layout
of business letters. Considering this type of letter is probably not typed out
by hand, it's trivial to use a template with the correct layout. At that point
the choice of letter becomes irrelevant.

I'd expect the US to have something similar but maybe they don't? If there are
standards, this boils down to either "Aetna used non-standard envelopes" or
"Aetna formatted letter incorrectly".

~~~
rdiddly
There is no standard that I'm aware of. On a related note, if I had a dollar
(or a Euro) for every US problem that the Germans solved long ago through
straight thinking, I'd have enough money to move to Germany.

~~~
dsfyu404ed
If I had a dollar for every problem the Germans introduce by over-thinking
current problems I could drive a German luxury car (that is old enough to not
still be under warranty).

~~~
cr0sh
> I could drive a German luxury car

...and then your mechanic will curse you for having a vehicle that is insanely
difficult (and expensive) to repair (hang out on /r/justrolledintotheshop for
a little while to see what I mean - "service position" anybody? Or what about
the carnage to fix a simple heater core?)...

~~~
dsfyu404ed
Service position is a Volvo thing IIRC.

Reddit has an Toyota fetish which I find pretty intolerable.

------
neom
A dude in my girlfriends class at a good university in nyc just had this
happen and his roommate saw and went to the school and said they want him
removed from the dorm, school obviously said no, but it was a huge ordeal.

------
pasbesoin
Separately, it has been reported in the last several years that the U.S.
Postal System has implemented imaging _every single piece of mail it moves_.

They have already OCR-ed addresses from mail, for years. If they are now
retaining the raw images, does this mean that they've inadvertently collected
and are holding the HIV status of all the Aetna customers affected by this
information leak?

So far, it seems the USPS is not selling what it's collected. (Although I'm
sure some of the "make a buck any way you can" crowd in DC and elsewhere would
not be above enabling and pushing them to do so.) But, next year? And in case
you thing this is far-fetched, many state departments of motor vehicles (DMV)
already make their drivers license photographs commercially available, IIRC.

------
dsfyu404ed
Since most of this thread has turned into comparing the terribleness of
insurance companies I'll say it again:

A good said of less than legitimate identification documents are probably far
more useful to someone needing urgent medical care than insurance coverage is.

------
kelukelugames
[https://vine.co/v/5hBviTJuHj5](https://vine.co/v/5hBviTJuHj5)

------
sjg007
massive HIPPA violation.

------
occultist_throw
Reading further in, it was a screw-up on the paper envelope that had too big
of a window and referred to HIV treatment connected to the person's name. This
is really bad, but it was 12k localized instances of crummy physical mailing.

Its pretty bad, but it's not like this was "300k people leaked by hackers for
ransom".

~~~
Broken_Hippo
This could have been prevented, though, and now folks could have to deal with
a lot of harassment. There are still folks out there that think AIDS is a
punishment from god for a sinful lifestyle or will assume you are gay (with
all the discrimination that comes with it). Yet other folks finding out will
simply stop using normal gestures with you and stand further back, simply
because they are afraid they'll magically catch aids.

Sure, it wasn't 300k people leaked by hackers for ransom. It was giving folks
reason to discriminate against 12k people. Does it matter if it was localized?

~~~
yebyen
There are two sides to the story though (I'm not defending Aetna, I'm saying
this is not only a problem for people who live around bigots.)

Some non-zero percent of those 12k people live with a partner who doesn't know
their HIV status. It is (edit: could be, if untreated) totally unethical for
those people to fail to disclose their status to their partners, but arguably
it's much worse for those people to be outed by their health insurance
company, who should really be the (#@[expletive](/#@ experts in privacy here.

I'm really not sure it's OK that this letter went out at all, even if they had
used the right privacy envelopes!

~~~
chimeracoder
I fully expect to get downvoted for this, but it's an important point that I
have to address.

> Some non-zero percent of those 12k people live with a partner who doesn't
> know their HIV status. It is totally unethical for those people to fail to
> disclose their status to their partners

This is itself based in old misinformation about HIV that serves to perpetuate
harmful stigmas around HIV.

HIV is treatable, and when properly treated, _cannot be transmitted_ [0].
That's not even taking into account other forms of HIV prevention that are
practiced to reduce the risk of HIV transmission. While it's advisable for an
HIV- to ask their partner's HIV status (and HCV, and other STD statues), a
person with HIV under proper treatment should not be expected to proactively
disclose that to every partner or potential partner, and it's not "totally
unethical" for them to make the decision not to volunteer that information
unasked.

[0] Decades of misinformation have drilled the false belief that HIV is always
infectious into people's minds, to the point where public health groups are
literally launching massive campaigns to correct this belief.

~~~
ars
So then how are people still getting HIV?

When thinking about the ethical implications you have to take the real world
into consideration, not the perfect world.

~~~
Broken_Hippo
"So then how are people still getting HIV?"

Some folks don't know they have it, and there are big gaps in health care. Not
everyone that needs to be tested or _should_ be tested has the means or
transportation to do so, let alone afford the medications. Theoretically, we
could test this with normal bloodwork and have tax dollars pay for the
medications, treating it like a public health cause. We just don't, partially
because of outdated views on it, bigotry, and so on.

Granted, this is completely ignoring the world outside the US, where there are
other difficulties.

This is the real world you were referring to, right?

It should also be obvious that he's referring to folks that have medication
available. HIV isn't the death sentence it used to be because we've made great
strides.

