A.G. Schneiderman Announces $575,000 Settlement With EmblemHealth After Data Breach Exposed Over 80,000 Social Security Numbers
EmblemHealth Agrees to Implement Corrective Action Plan and Conduct Comprehensive Risk Assessment
AG Schneiderman Renews Call to Pass SHIELD Act to Protect New Yorkers From Data Breaches
Attorney General Eric T. Schneiderman recently announced a settlement with healthcare provider EmblemHealth and wholly owned subsidiary Group Health Incorporated (“EmblemHealth”) after the company admitted a mailing error that resulted in 81,122 social security numbers being disclosed on a mailing. In addition to paying a $575,000 penalty, EmblemHealth agreed to implement a Corrective Action Plan and conduct a comprehensive risk assessment.
Attorney General Schneiderman today reiterated his call to improve New York’s weak and outdated security laws with the “Stop Hacks and Improve Electronic Data Security Act” (or “SHIELD Act”). Introduced by the Attorney General in November 2017, the SHIELD Act would comprehensively protect New Yorkers’ personal information from the growing number of data breaches and close major gaps in New York’s data security laws, without putting an undue burden on businesses.
“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”
EmblemHealth is one of the largest health plans in the United States. On October 13, 2016, it discovered that it had mailed 81,122 policyholders, including 55,664 New York residents, a paper copy of their Medicare Prescription Drug Plan Evidence of Coverage (“EOC Mailing”) that included a mailing label with the policyholder’s social security number on it. Normally, all mailings include a unique mailing identifier that is printed on the envelope. However, in this case, the mailing inadvertently included the insured's Health Insurance Claim Number, which incorporated the insured's social security number.
Pursuant to the federal Health Insurance Portability Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”), EmblemHealth is required to safeguard patients' protected health information, including social security numbers, and utilize appropriate administrative, physical and technical safeguards. In connection with its 2016 EOC Mailing, EmblemHealth failed to comply with many of the standards and procedural specifications as required by HIPAA. Printing an individual's social security number on “a postcard or other mailer not requiring an envelope, or visible on the envelope, or without the envelope having been opened” also violates New York General Business Law § 399-ddd(2)(e).
In addition to paying a $575,000 penalty, under the settlement EmblemHealth must implement a Corrective Action Plan that includes a thorough risk analysis of security risks associated with the mailing of policy documents to policyholders, and submit a report of those findings to the Attorney General’s office within 180 days of the settlement. EmblemHealth must also review and revise its policies and procedures based on the results of the assessment, and notify the Attorney General’s office of any action it takes. If no action is taken, EmblemHealth must provide a written detailed explanation of why no action is necessary. EmblemHealth must also catalogue, review, and monitor mailings and make reasonable efforts to ensure: (a) all relevant workforce members are adequately trained for each discrete job function that they are tasked with or assigned to perform related to mailings; (b) report any known violations of EmblemHealth policies and procedures relating to the HIPAA Minimum Necessary Standard, as set forth in 45 C.F .R. § 164.502(b) and § 164.514(b), to the appropriate EmblemHealth official and remediate any known violations as soon as practicable; and (c) for a period of three (3) years, report security incidents involving the loss or compromise of New York residents' information to the Attorney General’s office that might not otherwise trigger the reporting requirements of New York State law.
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.