Vendor Management Lessons from Aetna’s $20 Million Lawsuit

You likely use third-party vendors to outsource your payroll, HR or IT infrastructure — all essential business functions. Unfortunately, in doing so, you’re giving multiple companies access to sensitive data, including private patient or customer information. In the event of a breach or leak of said sensitive information, it’s important to know where the chips fall and what liability you’re assuming when you outsource business efforts.

Let’s take a look at how outsourcing significantly impacted the health insurer Aetna to assess opportunities and risks involved with hiring a third-party vendor.

Aetna’s settlement

If you’re unfamiliar with the backstory, Aetna made news for paying about $20 million in legal settlements from a case in 2017 concerning privacy violations of about 12,000 people. Unlike most HIPAA violation settlements, this case was remarkably low-tech in its discretion. Rather than mishandling clients’ personal information, Aetna mailed information about patient HIV medications via clear-windowed envelopes.

Ironically, the letters were sent in response to a settlement over previous privacy violation concerns. Aetna had required members to obtain HIV medications through mail-order pharmacies, and lawsuits in 2014 and 2015 indicated the policy was discriminatory as it prevented patients taking HIV medicine from receiving in-person pharmacist, jeopardizing members’ privacy.

Managing Third Party Vendors

Now, two new legal battles related to the breach are playing out in federal courts, with some legal experts saying this case is offering early lessons to covered entities and business associates about the importance of good vendor management practices.

After settling their initial lawsuits, Aetna agreed to increase protections to ensure the privacy of personal health information (PHI) and personally identifiable information in mailings. However, the health insurer has taken action against Kurtzman Carson Consultants (KCC), the company who directed the mailings which lead to Aetna’s latest lawsuits.

Aetna is seeking reimbursement for some $20 million for damages, claiming KCC never advised Aetna or its counsel that they intended to use envelopes with windows to mail patient PHI.


What’s shaping this case into such an interesting study of HIPAA understanding and PHI management is that KCC is countersuing Aetna, claiming that as a third-party actor, they have no obligation to provide indemnity, contribution and/or reimbursement to Aetna under any circumstances.

Additionally, KCC claims Aetna provided them with far more PHI of Aetna insureds than was minimally necessary for KCC to perform its job function. And that without Aetna having provided the PHI of the Aetna insureds, KCC would have had no direct access to or control over the PHI, which at all times was provided by Aetna. To top it all off, KCC claims Aetna also delivered the member mailing via unencrypted email.

Vendor Management Practices 

What shines through this case is that good vendor management practices involve a risk-based strategy to assess the potential for data to be compromised. While outsourcing any duty provides inherent risk to your organization, you should expect your business partnerships to take responsibility for their duties.

Whether an organization is mailing out PHI information or hiring contractors to produce and send materials, there needs to be a quality control process in the design and delivery of the finished product. Fortunately, there are IT providers who can safely transmit data on your behalf so that way you’re never in the situation of possibly providing a vendor with too much data or even hiring one with less experience managing sensitive information.


If you’re not currently applying these best security practices to your vendor relationships, perform an IT Assessment and ask what control assessments your vendors are using to ensure the safety of your company and your patients’ PHI. After all, the benefits of routine check-ins and ongoing analysis can make all the difference. With continuous support, you can avoid costly lawsuits and manage patient information securely.