CVS Health sued after exposing HIV status of 6,000 patients

US healthcare provider CVS Health has been sued after leaking the HIV status of more than 6,000 patients.

The private healthcare company was named in a suit filed in Ohio over letters sent to HIV-positive patients on the state’s AIDS Drug Assistance Program.

Among the details visible through the large transparent window on the envelope was a healthcare reference code including ‘HIV’, printed just above their name and address.

The lawsuit, filed on behalf of three unidentified patients, alleges that the company is responsible for risking the disclosure of their HIV status to friends, family and postal workers without consent.

Fiserv, the company contracted by CVS to send the letters, is also named in the suit.

The complaint, filed in the U.S. District Court for the Southern District of Ohio, said: “The Defendants’ [actions] resulted in the potential or actual disclosure of recipients’ HIV status to numerous individuals, including their families, friends, roommates, landlords, neighbours, mail carriers, and complete strangers.

“The use of envelopes with transparent windows contravenes the standard practice of the Ohio Department of Health, which is to send all mailings relating to HIV-related issues in opaque, non-windowed envelopes.”

It adds: “Persons with HIV are still subject to stigma, humiliation, mental anguish, embarrassment, and stress based on their HIV status. They may also run the risk of the loss of housing, relationships, and employment when their HIV status is revealed.

“John Doe One feels that CVS has essentially handed a weapon to anyone who handled the envelope, giving them the opportunity to attack his identity or cause other harm to him. He is rightfully concerned that members of his local community have or will learn of his HIV status.

“John Doe Two lives in a small town and fears the stigma that would result from the disclosure of his HIV status. The more people who know that he is HIV-positive, the less safe he feels. He is concerned that people such as his postal delivery person now knows his HIV status, particularly since CVS forces him to obtain his HIV medications by mail order and he receives those medications at the same address.

“John Doe Three lives in a small town where ‘everyone knows everyone.’

“He does not publicly disclose his HIV status, but has friends and relatives who work for the U.S. Postal Service who would have seen this mailing and discovered his HIV status because of the Defendants’ mailing.

“He is also experiencing significant distress as a result of this disclosure, including an understandable fear to leave his home, and has also experienced increased complications and health issues since this disclosure, up to and including just in the past several days.”

A sign is posted on the exterior of a CVS Pharmacy (Photo by Justin Sullivan/Getty)

The suit added: “Defendants also acted with a conscious disregard for the rights and safety of other persons that has a great probability of causing substantial harm.

“Defendants knew that it is unlawful and likely harmful to disclose patients’ HIV status to the public, and that any persons whose PHI was disclosed were to be separately notified of that breach.”

The plaintiffs also allege that CVS did not failed to announce the breach of privacy data, and failed to contact patients whose status was revealed..

They added:  “CVS hampered efforts to remediate the damage by failing to notify affected individuals and the United States Department of Health and Human Services, in violation of their own stated privacy policy.”

CVS Health said: “CVS Health places the highest priority on protecting the privacy of those we serve, and we take our responsibility to safeguard confidential information very seriously.

“As soon as we learned of this incident, we immediately took steps to eliminate the reference code to the plan name in any future mailings.”

A spokesperson previously told the LA Blade: “A reference code for this assistance program included a serious of letters and numbers (PM 6402 HIV) that were visible within the envelope window.

“This reference code was intended to refer to the name of the program and not to the recipient’s health status.

“No other protected health information was exposed.”

A similar case was previously brought against Aetna, a US-based health care insurance company.

The company paid a settlement of more than $17 million after facing legal action over letters sent to around 12,000 customers living with HIV last year.

HIV campaigners said lapse has left many people “devastated” as their HIV status was unlawfully disclosed to anyone who happened to see the envelope.

Aetna later agreed to pay $17,161,200 to resolve the claims.

Under the settlement, 11,875 people who had their HIV status shared are entitled to receive at least $500 each.

An additional 1,600 patients are entitled to $75 as their names and other information was disclosed.