RACHEL MARTIN, HOST:
Health insurer Aetna has agreed to pay $17 million in a settlement over a major medical privacy breach. The breach itself was low tech, but it exposed HIV information about thousands of Aetna members nationwide. Elana Gordon from member station WHYY in Philadelphia reports. And we should note, Aetna was previously an NPR funder.
ELANA GORDON, BYLINE: Sam's jaw dropped when he got the letter from his insurer, Aetna, this summer.
SAM: I was shocked. You know, imagine it had gone to the wrong address.
GORDON: The envelope window was so big that he could see a reference to his prescriptions for HIV. He was in his apartment building in New Jersey and looked around feeling paranoid.
SAM: To be perfectly honest, I haven't disclosed my HIV status to my parents. Let's just say that letter had gotten forwarded to their house and, you know, someone happened to open the mail. Those are the types of things that were going through my mind.
GORDON: NPR agreed to not use Sam's full name because he worries about how going public with his HIV status might affect his work. Upwards of 12,000 of Aetna's members who take HIV meds received similar letters. Ronda Goldfein is director of the Aids Law Project of Pennsylvania.
RONDA GOLDFEIN: This isn't your nosy neighbor held your letter up to the light so they could read the text. If you look at the face of the envelope, it's clear that the first three or four lines of text are visible.
GORDON: In August, her office and other legal aid groups started getting complaints from hundreds of people who had received the letter. Goldfein says despite improvements in HIV treatment and reduction in stigma, people still experience serious discrimination.
GOLDFEIN: We often hear that people don't get tested and treated because they are fearful that their private information will get out and that they will be at risk of harm.
GORDON: Aetna set up a relief fund early on, but when Goldfein's group and others realized the scale of the problem, they filed suit last summer. On Wednesday, Aetna agreed to settle for $17 million. It's still pending a judge's approval, but in a statement, the insurers said it's worked to address the potential impact of the mailers. And it's establishing measures to ensure something like this doesn't happen again. To privacy expert Bill McGeveran, the settlement really stands out.
BILL MCGEVERAN: It's a much bigger settlement than ordinary identity theft scenarios where an online database has been breached.
GORDON: McGeveran teaches law at the University of Minnesota. He says companies may be so focused on IT security that they overlook basic privacy violations.
MCGEVERAN: They're about things being overheard. They're about paper records. And in this case, it's about a paper mailing.
GORDON: As part of the settlement, each person who received a letter will get an automatic payment of $500. And there's a separate fund to file for additional damages of up to $20,000. For NPR News, I'm Elana Gordon in Philadelphia.
(SOUNDBITE OF MUSIC)
MARTIN: That story is part of a partnership between NPR, Kaiser Health News and WHYY's The Pulse.