CVS Health is being sued for allegedly revealing the HIV status of some 6,000 people in Ohio.
According to a federal class-action suit, filed on March 21 by three unidentified patients, the company sent out letters last year that revealed the status of participants in the state’s HIV drug-assistance program through the clear window of the envelopes.
The letters included customers’ new benefits cards, as well as information about a mail prescription program. Fiserv, the company hired to mail the letters, is also named in the suit.
One plaintiff said he “feels that CVS has essentially handed a weapon to anyone who handled the envelope, giving them the opportunity to attack his identity or cause other harm to him,”
Another said he has concerns about the stigma related to being HIV-positive affecting not only himself, but also his friends and family. The third reported also experiencing “significant distress as a result of this disclosure,” especially living in a small town where “everyone knows everyone.”
Attorneys for the plaintiffs claim CVS failed to announce the privacy breach, and did not contact all the patients whose status was compromised.
A spokesperson for the pharmacy giant said that only a reference code for the assistance program, not the recipient’s HIV status, was intended to be visible in the windows, and that CVS will remove the code in future mailings.
“CVS Health places the highest priority on protecting the privacy of those we serve, and we take our responsibility to safeguard confidential information very seriously.”
Last year, Aetna was criticized for mailing out more than 12,000 letters that exposed information regarding HIV medications through envelope windows. Aetna agreed to pay more than $17 million to those affected and take steps to prevent future incidents.