NY Attorney General Fines EmblemHealth €575,000 for HIPAA Breach

A mailing mistake by EmblemHealth in 2016 that resulted in the Health Insurance Claim Numbers of 81,122 plan subscribers printed on the exterior of envelopes has resulted in the New York Attorney General applying a $575,000 settlement fine.

Despite that all mailings have a unique patient identifier on the envelope, in this case the potential for damage was high as Health Insurance Claim numbers are formed using the Social Security numbers of plan subscribers.

Revealing the settlement, New York Attorney General Eric T. Schneiderman outlined that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered bodies to adapt administrative, physical, and technical security measures to ensure the confidentiality of patients’ and plan subscribers’ protected health information.

The mistake that saw Social Security numbers exposed breached HIPAA Rules. EmblemHealth failed to adhere with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also revealed that printing Social Security numbers on the exterior of envelopes breached New York General Business Law § 399-ddd(2)(e).

Along with to the $575,000 settlement, EmblemHealth must adopt a robust corrective action process that requires a comprehensive risk analysis to be carried out related to the mailing of policy documents. The findings of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures that refer to mailings must also be examined and updated based on the results of the risk analysis.

EmblemHealth must list, review, and monitor mailings and ensure that all workers involved in mailings receive proper training. They must also be advised to report any breaches of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow swift action to be taken manage risks to plan subscribers. EmblemHealth is also oblgated to report all security incidents to the Attorney General’s office for a period of three years after the date of the settlement.

Attorney General Schneiderman also said that New York has “weak and outdated security laws” which he has tried to address by bringing in the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be another push to get the SHIELD Act across the line. Schneiderman believes the SHIELD Act will enhance protections for state residents. Companies will also be held responsible for data violations that result in customers’ personal data being accessed.

Attorney General Schneiderman Stated: “The careless handling of social security numbers is never acceptable. New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

Author: Elizabeth Hernandez

Elizabeth Hernandez works as a reporter for NetSec.news. Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: https://twitter.com/ElizabethHzone