Beginning in late July or early August 2017, the lawsuit says, a letter containing membership cards and information about getting HIV-related prescriptions through the CVS program were mailed out to an estimated 6,000 participants in OhDAP.
“CVS Health places the highest priority on protecting the privacy of those we serve, and we take our responsibility to safeguard confidential information very seriously,” a statement from the company said.
“Last year, as part of a CVS Caremark benefits mailing to members of an Ohio client, a reference code for an assistance program was visible within the envelope window. This reference code was intended to refer to the name of the program and not to the recipient’s health status. As soon as we learned of this incident, we immediately took steps to eliminate the reference code to the plan name in any future mailings,” the statement said.
The reference code that was visible above the recipients name and address in the envelope window was a series of letters and numbers that ended with HIV.
“Persons with HIV are still subject to stigma, humiliation, mental anguish, embarrassment, and stress based on their HIV status,” the complaint states. “They may also run the risk of the loss of housing, relationships, and employment when their HIV status is revealed.”
“John Doe One feels that CVS has essentially handed a weapon to anyone who handled the envelope, giving them the opportunity to attack his identity or cause other harm to him,” the complaint says.
“John Doe Two lives in a small town and fears the stigma that would result from the disclosure of his HIV status… He is concerned that people such as his postal delivery person now knows his HIV status, particularly since CVS forces him to obtain his HIV medications by mail order and he receives those medications at the same address.
“John Doe Three lives in a small town where ‘everyone knows everyone.’ He does not publicly disclose his HIV status, but has friends and relatives who work for the U.S. Postal Service who would have seen this mailing and discovered his HIV status because of the defendants’ mailing,” it says.
RELATED: Local victims of Aetna HIV status breach can get assistance
The lawsuit also claims CVS was made aware of the breach months ago and failed to notify the affected individuals or the U.S. Department of Health and Human Services. Those are mandatory steps whenever there is a breach of the Health Insurance Portability and Accountability Act (HIPAA).
There is no record of the alleged breach on HHS's online portal that tracks incidents of private health information being disclosed.