Mailing Mistake HIPAA Violaton Sees EmblemHealth Fined $575k

by | Mar 12, 2018

A $575,000 settlement with the New York Attorney General has been agreed by by EmblemHealth following a 2016 mailing error that saw the Health Insurance Claim Numbers of 81,122 clients printed on the outside of envelopes.

New York Attorney General Eric T. Schneiderman announced the settlement and state that the Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA covered entities to formulate administrative, physical, and security measures to ensure the confidentiality of patients’ and plan members’ private health data.

A unique patient identifier is printed on the envelopes in all mailings, in this particular instance the potential for harm was considerable as Health Insurance Claim numbers include the Social Security numbers of clients.

EmblemHealth did not adhere with “many standards and procedural specifications” that are obligatory under HIPAA regulations. Attorney General Schneiderman also revealed that having Social Security numbers visible on the outside of envelopes breach New York General Business Law § 399-ddd(2)(e).

EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents, along with the $575,000 settlement,  The Attorney General’s office must be made aware of the outcome of that risk analysis review within six months. Policies and procedures that involve mailings must also be constantly reviewed and refreshed based on the official outcomes of the risk analysis.

EmblemHealth must list, audit and monitor mailings and make sure that all members of staff involved in mailings receive the proper training. They must also be trained on reporting any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow fast remedial action to be taken manage risks to individuals. EmblemHealth must also report all security incidents to the Attorney General’s office for a period of three years from the settlement date.

New York State Attorney General Schneiderman stated “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017.

There will now be another attempt to get the SHIELD Act passed. Schneiderman says that the SHIELD Act will improve security for state residents. Companies will also be responsible for data breaches that lead to customers’ personal data being exposed.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy