Aetna settled a lawsuit for $17 million Wednesday over a data breach that happened in the summer of 2017. The privacy of as many as 12,000 people insured by Aetna was compromised in a very low-tech way: The fact that they had been taking HIV drugs was revealed through the clear window of the envelope.

In an ironic twist, the letters were sent in response to a settlement over previous privacy violation concerns. Aetna had required members to obtain HIV medications through mail-order pharmacies. Lawsuits filed in 2014 and 2015 alleged that policy was discriminatory, that it prevented patients taking HIV medicine from receiving in-person counseling from a pharmacist and that it jeopardized members’ privacy.

Aetna settled with the individual plaintiffs, changed its policy to allow members to fill HIV prescriptions in person at retail pharmacies, and, in turn, sent out notification letters to anyone who had filled prescriptions for HIV medications. It was those notification letters that contained a large envelope window that exposed sensitive HIV information.