Aetna has agreed to pay a $1 million fine to settle potential violations of federal health privacy law.

A subsidiary of CVS Health Corp. since 2018, Aetna reported that about 5,000 people were affected by an April 2017 breach of information. The insurer discovered two web services used for displaying insurance plan-related documents to be accessible without login credentials, the U.S. Department of Health and Human Services said. The documents were indexed by internet search engines.

Aetna said disclosures included names, insurance identification numbers, claim payment amounts, procedures service codes and dates of service, the Health and Human Services Department said.

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure," said Roger Severino, director of the health and human services department’s Office of Civil Rights.

Aetna’s failure to follow health insurance privacy rules resulted in three breaches in six months, he said.

Mike DeAngelis, a spokesman for CVS, said protecting members' privacy “is a responsibility we take very seriously.”

“We have since updated our processes and procedures to further protect member information and are working cooperatively with the Office of Civil Rights to further enhance our policies related to privacy and security,” he said.

Aetna reported a breach in August 2017, saying benefit notices were mailed to members using window envelopes. Aetna received complaints from members that the words “HIV medication” could be seen through the envelope’s window below the member’s name and address. Aetna said 11,887 individuals were affected by the disclosure.

Aetna also reported a breach in September 2017 related to a research study mailing sent to plan members placing on the envelope the name and logo of an irregular heartbeat study in which they were participating. About 1,600 individuals were affected.

An investigation by the Health and Human Services Department’s Office of Civil Rights found that Aetna failed to perform periodic technical and nontechnical evaluations of changes affecting the security of their electronic health information or establish procedures to verify the identity of persons or entities seeking access to electronic personal health information.

The settlement includes two years of monitoring.

Stephen Singer can be reached at ssinger@courant.com

———

©2020 The Hartford Courant (Hartford, Conn.)

Visit The Hartford Courant (Hartford, Conn.) at www.courant.com

Distributed by Tribune Content Agency, LLC.