EmblemHealth had a mailing error in 2016 that resulted in the disclosure of 81,122 Health Insurance claim numbers, which were printed on the outside of envelopes. The potential harm of this mistake was huge because the plan members’ Social Security numbers were used to form the Health Insurance claim numbers. The New York Attorney General fined EmblemHealth an amount of $575,000 as settlement fee.
NY Attorney General Eric T. Schneiderman emphasized the need of covered entities to strictly comply with HIPAA rules. They must enforce administrative, technical and physical safeguards in order to ensure the integrity of patients’ and health plan members’ PHI. In this case, the exposure of Social Security numbers is a serious violation of HIPAA rules. Printing the Social Security numbers on the envelopes also violated New York General Business Law § 399-ddd(2)(e).
Besides the settlement fee of $575,000, EmblemHealth needs to implement a robust corrective action plan, which involves doing the following:
- Conduct a comprehensive risk analysis of the procedure when mailing policy documents. A report on the results of the risk analysis must be submitted to the Attorney General’s office within 180 days.
- Review and update the policies and procedures related to mailings based on the risk analysis results.
- Catalogue, review, and monitor all mailings.
- Give all employees involved in mailings appropriate training. In addition, they must report violations of the HIPAA Minimum Necessary Standard immediately to EmblemHealth officials for prompt action to manage risks to plan members.
- Report all security incidents to the Attorney General’s office for 3 years starting from the date of the settlement.
Attorney General Schneiderman is serious in his campaign to address the weak and outdated security laws of New York. That is why, he introduced the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017 to strengthen security laws. It will improve NY state residents’ protection against personal data breaches. Businesses are called upon to guard private information appropriately as violators of state residents’ privacy will be surely held accountable.