Window Envelope Causes Breach of Privacy Catastrophe
Not all breaches of confidential data are done by shadowy hackers in dark corners.
Sometimes the culprit is no more sinister than a simple #10 window envelope.
Just look what happened to Aetna. Back in the summer, the insurance giant mailed letters to approximately 12,000 customers with AIDS in 23 states. The letters - enclosed in an envelope with a transparent address window on the front – conveyed information regarding a change in the processing of prescription claims.
But if you looked through the window, you could see the patients’ names, as well as the phrase “filling prescriptions for HIV.”
“People have been devastated,” said Sally Friedman, legal director at Legal Action Center. “We’ve had a number of people tell us they had chosen not to disclose their HIV status to family members — but this is how their family members found out.”
A class action lawsuit has been brought against Aetna alleging breach of privacy. “[H]ighly confidential matter” was made visible to “family, roommates, friends, neighbors, landlords, mail carriers, and even complete strangers,” the lawsuit alleges.
“People with any private health conditions, whether you’re being treated for cancer or a behavioral condition, just imagine having that flat out on the front of an envelope for anyone to see,” said Friedman. “It should be a grave concern to everyone.”
Little Details, Big Consequences
What Aetna did – using a cheap, window envelope for a mass mailing – was common corporate practice. The problem, of course, was that the mailing in question contained highly sensitive information, which should have triggered heightened safety precautions.
In this age of hacks and cybercrime, it is easy to overlook the little details that can have grave consequences. Here are some law office confidentiality reminders:
1. What happens in the office stays in the office. Don’t discuss business outside the confines of the law office.
2. Don’t discuss one client’s business with another client, or while another client might be in listening range.
3. Beware water cooler conversations. Can your chatter be overheard in the lobby?
4. Keep case files segregated. The duty of confidentiality continues even after the case is closed, and after you leave the firm.
5. Be wary when clients or outsiders want to use your office for any reason, such as to make copies or to use the telephone.
6. Never release information to callers such as the name of a client’s accountant, doctor or insurance adjuster without authorization.
7. Be careful when disposing of confidential papers, including rough drafts or duplicates. Use shredders, a professional document destruction service, or some other secure method.
8. Don’t take phone calls when a client is in your office. Give the client your undivided attention. This is especially important if the call concerns another client’s case. The client might feel that you will discuss his or her case on the phone while other clients are listening as well.
9. Don’t leave client files out on your desk for other clients to see. This goes for staff members as well.
Get more confidentiality tips – along with lots of other best practices – in Lawyers Mutual’s free Office Procedures Manual.
Sources:
- The Hill http://thehill.com/policy/healthcare/health-insurance/348320-aetna-hit-with-class-action-lawsuit
- Lawyers Mutual – Confidentiality Tips http://www.lawyersmutualnc.com/risk-management-resources/risk-management-handouts?page=4
- Lawyers Mutual Office Procedures Manual https://nmcdn.io/e186d21f8c7946a19faed23c3da2f0da/556712d9bf0f4cb2a916cc810687d52b/files/risk-management-resources/risk-management-handouts/Office_Procedures_Manual.pdf
- Stat News https://www.statnews.com/2017/08/24/aetna-hiv-envelopes/
- Ars Technica https://arstechnica.com/tech-policy/2017/08/low-tech-privacy-breach-earns-aetna-lawsuit-for-revealing-hiv-patients/
- Professional Liability Matters http://professionalliabilitymatters.com/2017/09/19/its-the-little-things-that-count-in-cybersecurity/
