The New Jersey state attorney general’s office has fined the health insurance company EmblemHealth $100,000 for a data breach that occurred in 2016 which exposed the PHI of more than 6,000 New Jersey plan members.
EmblemHealth mailed its plan members Medicare Part D Prescription Drug Plan Evidence of Coverage documents on October 3, 2016. Beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which include Social Security numbers, were printed on the labels. Over 81,000 policy members, which include 6,443 residents in New Jersey, received the mailings.
The New Jersey Division of Consumer Affairs investigated the incident and discovered failures in policies, procedures and staff training. While a trained member of staff oversaw previous mailings of Evidence of Coverage documents, that employee left EmblemHealth and was replaced by a team manager who had only received task-specific training and worked without supervision.
The team manager provided a data file to the mailing vendor without first removing PHI. As a result, the mailing vendor also printed the HCINs on the mailing labels. This error constituted a HIPAA violation and a violation of the New Jersey Consumer Fraud Act and the New Jersey Identity Theft Prevention Act.
Health insurance firms are obligated to prevent unauthorized disclosures of the sensitive information of plan members but in this instance, EmblemHealth failed in that regard. The violations of HIPAA and state laws were deemed to be severe enough to warrant a financial penalty. EmblemHealth agreed to settle the case and adopt a corrective action plan to address compliance failures.
EmblemHealth will ensure that when employees leave the company, their will be a formal process of transferring their responsibilities to other EmblemHealth staff members or third parties, and full training will be provided. All incoming employees will undergo privacy and security training and regular refresher training sessions will also be provided. The Corrective action plan will last three years, and the New Jersey Division of Consumer Affairs will oversee EmblemHealth’s compliance efforts and must be informed of any further privacy breaches.
This is the second financial penalty that EmblemHealth has paid to resolve the HIPAA violation. Earlier this year, the insurance company was fined $575,000 by the New York attorney general.