So much of our attention is focused on digital risk that it is easy to forget that data breaches and leaks can just as often happen by other means. Consider the case of Aetna Insurance and the $18 million in fines and civil damages it will pay for something as simple as using the wrong envelope.
In the incident, Aetna members who were prescribed HIV medications were sent a letter in a large-window envelope. The size of the window and the way in which the letters were folded and inserted in the envelope made the individuals’ names, addresses, and claim numbers, as well as the first several lines of the letter containing instructions related to HIV medications clearly visible from the outside of the envelope. The result was that the letter revealed to third parties the HIV status of some of the New Yorkers who received the letter, New York Attorney General Eric Schneiderman noted in a statement.
The company this week said it would pay $1.15 million in fines to the State of New York over two mailings in 2017 that exposed HIV drug information of 2,460 New Yorkers. That followed the company’s agreement last week to pay $17 million to settle a federal class action suit brought by the AIDS Law Project of Pennsylvania and the Legal Action Center on behalf of close to 12,000 Aetna customers who had been prescribed HIV medications revealed in the mailing.
The mailing clearly violated federal health privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) as well as state laws, including New York State Public Health Law Section 18, which requires patient authorization to reveal health information.
But the incident also underscores that lax business processes and training can be just as big a risk to data security as porous networks. In fact, a follow up investigation by the New York Attorney General uncovered a previously undisclosed breach, in which an Aetna mailing to members with atrial fibrillation contained a logo for the research study “IMPACT-AFIB” that was easily viewed by third parties. That logo, matched with the name of the Aetna member to whom the envelope was addressed constituted a breach of medical confidentiality.
Of course, these kinds of slip ups are nothing new. HIPAA was written in anticipation of the digitization of medical records. But in the years before electronic health records became commonplace, dumpsters behind doctors offices and hospitals would periodically barf up sensitive patient records and information.
Similarly, for hackers, “tailgating” into a building behind a legitimate employee or perusing a company’s trash has long been a way of gaining valuable intelligence including the names and emails of key employees and executives, details of their technology and network configuration and even proprietary trade secrets.
With GDPR looming just over the horizon, Aetna’s $18m mailing envelope slip up should be seen as a warning to companies that they need to consider and vet the entire chain of custody for sensitive data, including physical processes like the handling of paper documents that are used internally and sent outside of an organization. And that includes work that their employees perform as well as work that they outsource to third party firms (for example: bulk mailings) as GDPR makes it harder to foist off responsibility onto third party firms that are part of the same “undertaking.” And, as this blog has noted, the fines for GDPR violations may well be larger than anything seen before by an order of magnitude.
As we said last week: Spring is Coming. With GDPR making it easier than ever for individuals to sue companies for violating their privacy rights, in other words, companies need to reconsider their data handling and processing from the ground up. Aetna’s snail mail fail reminds us that the mail room is just as important a place as the board room or the data center to be looking for problems.