Aetna has sued a plaintiffs firm and a consumer group in connection with a compounded privacy blunder that outed HIV patients and forced the company to pay out $17 million to those affected.

The insurance giant was originally sued in federal court in Philadelphia after it mailed notifications to patients about how to fill their HIV drug prescriptions that clearly identified them in envelope windows.

“Rather than sending instructions about how people taking HIV medications could fill their prescriptions in an opaque envelope, Aetna … instead sent this highly sensitive information in an envelope with a large transparent glassine window,” the first complaint against Aetna said.

After that matter settled, Aetna was hit with another suit for allegedly exposing patients' confidential information a second time when settlement notifications were sent out to potential class members in envelopes with transparent windows.

Now, Aetna is going after plaintiffs firm Whatley Kallas and the nonprofit Consumer Watchdog, which represented the class members, alleging they were responsible for sending out the mailings that led to the second breach.

Aetna's complaint consists of four counts: implied indemnity, equitable indemnity/comparative negligence, the right of contribution, and declaratory relief.

The insurer is demanding that the Whatley firm and the consumer group “defend, indemnify, and/or hold Aetna harmless from and against any liability, damages, payments, penalties, claims, losses, and costs and expenses, including attorneys' fees, related to the incident, the underlying actions, and the investigation.”

The Whatley firm did not respond to a request for comment.

“Since Aetna and its various outside counsel first suggested in August 2017 that lawyers for Consumer Watchdog and Whatley Kallas LLP were somehow responsible for its most recent privacy breach, we have emphatically disputed both the factual and legal basis for this assertion, citing communications with Aetna in our and your possession as well as documents from [claims administrator Kurtzman Carson Consultants] unequivocally establishing that Aetna and its outside counsel are solely responsible for the breach,” the letter said. “On multiple separate occasions, we have requested Aetna provide any evidence in its possession pertaining to such a claim, and we have explained how the factual bases for such claims are demonstrably false.”

In February, Aetna filed a federal lawsuit in Philadelphia against KCC, the claims administrator, blaming it for the second breach.

But the administrator, in turn, sued Aetna in California, charging that the insurer and its agent, Gibson, Dunn & Crutcher, committed negligence and breach of contract for “failure to adequately safeguard the protected health information of thousands of Aetna insureds.” Gibson Dunn was not named as a defendant in the lawsuit, however.