"We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members", declared a spokesman for Aetna following complaints. The two legal organizations have teamed up with attorneys from eight other organizations in a bid to represent these customers.
The envelope had a plastic window that in some cases showed not just the customer's name and address, but also the names of medications, exposing some recipients' HIV status. This meant that whoever picked up the mail that day - a family member, a friend, a postal worker - would have been able to see the confidential information, according to the Legal Action Center and the AIDS Law Project of Pennsylvania.
A USA health insurance company accidentally disclosed some of its customers' HIV statuses to around 12,000 people last month.
It's not entirely clear how the letters were packaged, but they were created to alert HIV positive people to changes in their medication.
Aetna sent the mailer to approximately 12,000 customers nationwide on July 28, but it is unclear how many were affected because of the way the letter was positioned in the envelope.
They add that additional legal action is being considered.
The legal groups wrote on behalf of Aetna customers in Arizona, California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania, and the District of Columbia, according to their letter.
Sally Friedman, the Legal Action Center legal director in NY, said: "Aetna's privacy violation devastated people whose neighbours and family learned their intimate health information".
"These privacy violations have caused incalculable harm to Aetna beneficiaries", the letter states.
Last month, about 12,000 Aetna customers across the U.S. were sent letters regarding their health benefits and access to HIV medications with a clear window cut out of the envelope that exposed their status to anyone who laid eyes on it.
The incident could violate the Privacy Rule of the 1996 Health Insurance Portability and Accountability Act (HIPAA), which requires "health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared". "You need to fix this".