New York Attorney General Penalizes Health Plan for Widespread Disclosure of Social Security Numbers
Tuesday, March 27, 2018
improper mailing, NY, AG, EmblemHealth, social security numbers, New York Residents
Print Mail Download i

New York Attorney General Eric T. Schneiderman announced a $575,000 settlement with EmblemHealth and its subsidiary, Group Health Incorporated, (together, “EmblemHealth”) after EmblemHealth admitted a mailing error that resulted in the disclosure of 81,122 social security numbers.  EmblemHealth is one of the largest health plans in the United States.

EmblemHelath discovered that it had mailed 81,122 policyholders – including 55,664 New York residents – a paper copy of their Medicare Prescription Drug Plan of Coverage that included a mailing label with the policyholder’s social security number on it in October 2016.  Such disclosure violates both the Health Insurance Portability and Accountability Act (“HIPAA”) and New York General Business Law § 399-ddd(2)(e).  The settlement agreement also obligates EmblemHealth to implement a Corrective Action Plan and conduct a comprehensive risk assessment of security risks associated with the mailing of policy documents to policyholders. EmblemHealth must also review and revise its policies and procedures based on the results of said risk assessment.  EmblemHealth is also tasked with cataloguing, reviewing, and monitoring its mailings and making all reasonable efforts to ensure:

  • All relevant workforce members are adequately trained for each discrete job function that they are tasked with or assigned to perform related to mailings;
  • Report any known violations of EmblemHealth’s policies and procedures related to HIPAA’s Minimum Necessary Standard to the appropriate EmblemHealth official and correct any known violations as soon as practicable; and
  • Report security incidents involving the loss or compromise of New York residents’ information to the Attorney General’s office that might not otherwise trigger the reporting requirements under state law for a period of three years.

Schneiderman used the settlement announcement as a platform to advocate for stronger security laws and hold businesses accountable for protecting consumer’s personal data. His position falls squarely within the growing trend of Attorneys General across the country who are becoming increasingly active in their privacy enforcement efforts.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins