How much trouble is Aetna (AET) in?

On Thursday a group of lawyers announced that the health insurance giant accidentally revealed the HIV status of patients in a letter about changes to drug benefits. Part of the information regarding medication specific to HIV-positive patients was printed in a way that was visible through the letters' plastic address window.

These letters used envelopes with plastic sheeting considerably larger than the address. As a result, the first paragraph was openly visible including text that said "when filing prescriptions for HIV Medici…"

As a result, anyone who picked up the letter could read this information, such as mail carriers, roommates or the general public. As many as 12,000 people may have been affected by this, causing a seemingly-clear violation of the Health Insurance Portability and Accountability Act (HIPAA).

There could be swift changes ahead.

What is HIPAA?

Among other things, HIPAA establishes protections for privacy when it comes to medical information. In the wake of a series of amendments in 2013, the law has approached what is known as a "strict liability standard." That is to say, under most circumstances a breach of confidentiality regarding patient information is considered a per se violation of the law. When patient health information is released, such as in Aetna's case, the company faces a rebuttable presumption that it violated HIPAA.

This kind of scheme is rare in the law. Ordinarily a plaintiff or regulator has to prove not only the fact that something happened, but also that the defendant caused this harm through negligence (failure to exercise due care) or recklessness (when one knew or should have known that harm would result from one's actions). Legislators have made HIPAA's patient information provisions different, in part, because medical information is a bell that simply can't be unrung.

Once a patient's information has escaped into the wild virtually anyone can discover it. A mistake with medical bills can out a gay person against their wishes, for example, or reveal deeply personal information about health and habits. This is at once both highly damaging and impossible to correct, so HIPAA imposes a high standard in order to incentivize businesses and doctors to exercise comparably heightened care.

That still doesn't automatically trigger major financial liability. Much of the penalties involved depend on just how much carelessness was involved.

What is Aetna's Real Stake Here?

TheStreet Recommends

In a statement on Thursday the Legal Action Center said that it has filed a demand letter on behalf of the affected individuals which calls on Aetna to "immediately stop… [and] to develop a plan to correct its practices and procedures." The organization has said that it's working on this with the AIDS Law Project as well as "attorneys with eight organizations" across numerous states.

So far, so normal.

In a case like this a cease-and-desist letter is an ordinary first step. Before lawyers can address the damage that has been done they first have to prevent further harm. This isn't unusual. It also doesn't insulate Aetna from further liability.

In fact, the insurer may face quite a lot of damages.

First and foremost, there are statutory penalties. HIPAA violations carry several different forms of mandatory fines, most of which depend on the severity of harm and the degree of neglect. Much depends on what regulators and the courts decide regarding Aetna's degree of negligence.

Breaches of patient information that result from "willful neglect," using the definition of recklessness covered above, trigger fines from the Office of Civil Rights (the OCR) of up to $50,000 per violation. The fact that Aetna didn't self-report might trigger more fines still, if the OCR decides that it should have known about the privacy breach. These fines could be multiplied by as many as the full 12,000 patients who received these letters.

Then there are private causes of action: the lawsuit.

HIPAA does not in and of itself give someone the right to sue, but it doesn't block suits based on state laws. Most states will allow a lawsuit for a negligent breach of information if it led to harm, and those cases usually use HIPAA as a template to establish a violation. Although the plaintiffs in this case would be scattered across many jurisdictions (Aetna sent these letters to recipients in at least eight states and Washington D.C.), it's likely that most, if not all, will be able to mount a lawsuit.

Much of Aetna's liability will depend on facts still developing, but it will almost certainly face some fines and restitution to the plaintiffs. Exactly how much will depend on the degree of carelessness that led to this mistake and how quickly Aetna acts to solve this problem. History, however, indicates that even simple carelessness can lead to enormous fines when patient records are involved.

In one illustrative case, Advocates Health Care Network paid a $5.5 million settlement in part based on a unencrypted laptop left in a vehicle overnight. The mere heightened possibility of this patient information breach led to a seven-figure judgment, and in Aetna's case many of the affected parties say that family, friends and strangers have already learned about their HIV-positive status from these envelopes.

Aetna's next steps will make a big difference, but its liability may already be substantial.

More of What's Trending on TheStreet: