December 14, 2019

December 13, 2019

Subscribe to Latest Legal News and Analysis

December 12, 2019

Subscribe to Latest Legal News and Analysis

December 11, 2019

Subscribe to Latest Legal News and Analysis

New York Attorney General Penalizes Health Plan for Widespread Disclosure of Social Security Numbers

New York Attorney General Eric T. Schneiderman announced a $575,000 settlement with EmblemHealth and its subsidiary, Group Health Incorporated, (together, “EmblemHealth”) after EmblemHealth admitted a mailing error that resulted in the disclosure of 81,122 social security numbers.  EmblemHealth is one of the largest health plans in the United States.

EmblemHelath discovered that it had mailed 81,122 policyholders – including 55,664 New York residents – a paper copy of their Medicare Prescription Drug Plan of Coverage that included a mailing label with the policyholder’s social security number on it in October 2016.  Such disclosure violates both the Health Insurance Portability and Accountability Act (“HIPAA”) and New York General Business Law § 399-ddd(2)(e).  The settlement agreement also obligates EmblemHealth to implement a Corrective Action Plan and conduct a comprehensive risk assessment of security risks associated with the mailing of policy documents to policyholders. EmblemHealth must also review and revise its policies and procedures based on the results of said risk assessment.  EmblemHealth is also tasked with cataloguing, reviewing, and monitoring its mailings and making all reasonable efforts to ensure:

  • All relevant workforce members are adequately trained for each discrete job function that they are tasked with or assigned to perform related to mailings;
  • Report any known violations of EmblemHealth’s policies and procedures related to HIPAA’s Minimum Necessary Standard to the appropriate EmblemHealth official and correct any known violations as soon as practicable; and
  • Report security incidents involving the loss or compromise of New York residents’ information to the Attorney General’s office that might not otherwise trigger the reporting requirements under state law for a period of three years.

Schneiderman used the settlement announcement as a platform to advocate for stronger security laws and hold businesses accountable for protecting consumer’s personal data. His position falls squarely within the growing trend of Attorneys General across the country who are becoming increasingly active in their privacy enforcement efforts.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved


About this Author

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...