AIDS and HIV

CVS exposes patients’ HIV status in mailings

By Lou Chibbaro Jr.

August 31, 2017

CVS Caremark, a division of the CVS pharmacy and healthcare company, abruptly discontinued a mailing last week to patients in Ohio receiving HIV-related medication from the company after it learned that a reference to “HIV” appeared above the patients’ names in the window of the envelopes sent to about 4,000 people.

The inadvertent showing by CVS Caremark of an HIV reference on the outside of an envelope mailed to people with HIV came less than a month after the AETNA health insurance company accidently revealed the HIV status of its clients in a nationwide mailing to about 12,000, including some living in D.C.

AIDS activist Eddie Hamilton of Columbus, Ohio sent the Washington Blade a photocopy of the envelope he received from CVS Caremark on Aug. 24, which includes the notation “PM 6402 HIV” directly above his name and address in full view in the window of the envelope.

“CVS Health places the highest priority on protecting the privacy of our patients and we take our responsibility to safeguard confidential patient information very seriously,” said Michael J. DeAngelis, a spokesperson for CVS Health.

In a statement to the Blade, DeAngelis said CVS Caremark, which serves as the parent company’s pharmacy benefits manager, recently mailed pharmacy benefit information to about 4,000 participants in Ohio’s AIDS Drug Assistance Program, or ADAP. ADAP is a federally funded program administered by the states to pay for life-saving HIV medication for low-income people who can’t afford health insurance or who are underinsured.

“A reference code for this assistance program included a serious of letters and numbers (PM 6402 HIV) that were visible within the envelope window,” DeAngelis said in his statement. “This reference code was intended to refer to the name of the program and not to the recipient’s health status,” he said.

“No other protected health information was exposed,” he continued. “As soon as we learned of this incident, we immediately halted the mailings and are currently taking steps to eliminate the reference to the plan name in any future mailings.”

The D.C. Department of Insurance, Securities and Banking on Aug. 29 announced it has opened an investigation of AETNA Health in response to the privacy breach caused by its showing of the HIV status of 12,000 AETNA policy holders across the country. The announcement says AETNA offers health insurance plans to residents of D.C., Maryland and Virginia.

“As the District’s financial services regulator and consumer advocate, it is our responsibility to make certain that the District’s insurance policyholders’ health rights are protected,” said Stephen C. Taylor, the DISB Commissioner.

“In addition, DISB will reach out directly to the 390 affected District policyholders to provide them with details of the breach and the investigation,” Taylor said in the department’s statement.

Hamilton said he has been directing ADAP clients in Ohio who contacted him after receiving the CVS Caremark mailing to call the Ohio ADAP coordinator to report what he considers a breach of clients’ privacy.

He said he has also filed a complaint about the mailing to the U.S. Department of Health and Human Services’ Civil Rights Division.