CVS Health is being sued for allegedly revealing the HIV status of 6,000 patients in Ohio.
A federal lawsuit claims CVS mailed letters last year that showed the status of participants in the state's HIV drug assistance program through the envelopes' glassine window.
The complaint, which was filed March 21 in federal court in Ohio, also names Fiserv, the company that CVS hired to mail the letters. On the envelopes used by Fiserv, the patients' HIV status could be seen through the clear window, just above their name and address, the documents states.
The letters included the patients' new benefits cards and information about a mail prescription program.
The companies are being sued by three unidentified plaintiffs, according to the complaint.
The first plaintiff, only identified as John Doe One of Delaware County, Ohio, says he "feels that CVS has essentially handed a weapon to anyone who handled the envelope, giving them the opportunity to attack his identity or cause other harm to him."
Another plaintiff identified as John Doe Two of Defiance County says he lives in a small town and fears the stigma stemming from the disclosure of his HIV status.
He is also concerned that his "friends and family run the risk of being stigmatized just by being seen with him."
The third plaintiff says he also lives in a small town in Gallia County, where "everyone knows everyone" and has experienced "significant distress as a result of this disclosure."
He is scared to leave his home and has "experienced complications and health issues since this disclosure, up to and including just in the past several days."
The plaintiffs are seeking a class-action suit and a jury trial.
The attorneys claim that CVS failed to announce the breach of privacy data and did not contact all the patients whose status was revealed.
In a statement to CNN, CVS Health said the envelope window was intended to show a reference code for the assistance program and not the recipient's health status.
"CVS Health places the highest priority on protecting the privacy of those we serve, and we take our responsibility to safeguard confidential information very seriously," the statement said.
"As soon as we learned of this incident, we immediately took steps to eliminate the reference code to the plan name in any future mailings."
A representative for Fiserv told CNN the company does not comment on pending litigation.
The Ohio Department of Public Health did not reply to a request for comment Saturday.