CVS Health is being sued for unintentionally revealing the HIV-positive status of up to 6,000 Ohioans through a mailing about prescriptions to their homes.
The federal lawsuit filed last week asks for class action status and a jury trial to award damages to those affected.
The three John Doe plaintiffs are HIV-positive men living in Delaware, Defiance and Gallia counties in Ohio. They are all clients of the Ohio HIV Drug Assistance Program, which contracted with CVS Caremark as its pharmacy benefit manager in March of 2017.
Fiserv, the other company named in the lawsuit was contracted by CVS to do mailings.
Beginning in late July or early August 2017, the lawsuit says, a letter containing membership cards and information about getting HIV-related prescriptions through the CVS program were mailed out to an estimated 6,000 participants in OhDAP.
“CVS Health places the highest priority on protecting the privacy of those we serve, and we take our responsibility to safeguard confidential information very seriously,” a statement from the company said.
“Last year, as part of a CVS Caremark benefits mailing to members of an Ohio client, a reference code for an assistance program was visible within the envelope window. This reference code was intended to refer to the name of the program and not to the recipient’s health status. As soon as we learned of this incident, we immediately took steps to eliminate the reference code to the plan name in any future mailings,” the statement said.
The reference code that was visible above the recipients name and address in the envelope window was a series of letters and numbers that ended with HIV.
“Persons with HIV are still subject to stigma, humiliation, mental anguish, embarrassment, and stress based on their HIV status,” the complaint states. “They may also run the risk of the loss of housing, relationships, and employment when their HIV status is revealed.”
“John Doe One feels that CVS has essentially handed a weapon to anyone who handled the envelope, giving them the opportunity to attack his identity or cause other harm to him,” the complaint says.
“John Doe Two lives in a small town and fears the stigma that would result from the disclosure of his HIV status… He is concerned that people such as his postal delivery person now knows his HIV status, particularly since CVS forces him to obtain his HIV medications by mail order and he receives those medications at the same address.
“John Doe Three lives in a small town where ‘everyone knows everyone.’ He does not publicly disclose his HIV status, but has friends and relatives who work for the U.S. Postal Service who would have seen this mailing and discovered his HIV status because of the defendants’ mailing,” it says.
The lawsuit also claims CVS was made aware of the breach months ago and failed to notify the affected individuals or the U.S. Department of Health and Human Services. Those are mandatory steps whenever there is a breach of the Health Insurance Portability and Accountability Act (HIPAA).
There is no record of the alleged breach on HHS’s online portal that tracks incidents of private health information being disclosed.
Thank you for reading the Dayton Daily News and for supporting local journalism. Subscribers: log in for access to your daily ePaper and premium newsletters.
Thank you for supporting in-depth local journalism with your subscription to the Dayton Daily News. Get more news when you want it with email newsletters just for subscribers. Sign up here.