A $575,000 settlement with the New York Attorney General has been agreed by by EmblemHealth following a 2016 mailing error that saw the Health Insurance Claim Numbers of 81,122 clients printed on the outside of envelopes.
New York Attorney General Eric T. Schneiderman announced the settlement and state that the Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA covered entities to formulate administrative, physical, and security measures to ensure the confidentiality of patients’ and plan members’ private health data.
A unique patient identifier is printed on the envelopes in all mailings, in this particular instance the potential for harm was considerable as Health Insurance Claim numbers include the Social Security numbers of clients.
EmblemHealth did not adhere with “many standards and procedural specifications” that are obligatory under HIPAA regulations. Attorney General Schneiderman also revealed that having Social Security numbers visible on the outside of envelopes breach New York General Business Law § 399-ddd(2)(e).
EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents, along with the $575,000 settlement, The Attorney General’s office must be made aware of the outcome of that risk analysis review within six months. Policies and procedures that involve mailings must also be constantly reviewed and refreshed based on the official outcomes of the risk analysis.
EmblemHealth must list, audit and monitor mailings and make sure that all members of staff involved in mailings receive the proper training. They must also be trained on reporting any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow fast remedial action to be taken manage risks to individuals. EmblemHealth must also report all security incidents to the Attorney General’s office for a period of three years from the settlement date.
New York State Attorney General Schneiderman stated “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017.
There will now be another attempt to get the SHIELD Act passed. Schneiderman says that the SHIELD Act will improve security for state residents. Companies will also be responsible for data breaches that lead to customers’ personal data being exposed.