New York Attorney General Penalizes Health Plan for Widespread Disclosure of Social Security Numbers
New York Attorney General Eric T. Schneiderman announced a $575,000 settlement with EmblemHealth and its subsidiary, Group Health Incorporated, (together, “EmblemHealth”) after EmblemHealth admitted a mailing error that resulted in the disclosure of 81,122 social security numbers. EmblemHealth is one of the largest health plans in the United States.
EmblemHelath discovered that it had mailed 81,122 policyholders – including 55,664 New York residents – a paper copy of their Medicare Prescription Drug Plan of Coverage that included a mailing label with the policyholder’s social security number on it in October 2016. Such disclosure violates both the Health Insurance Portability and Accountability Act (“HIPAA”) and New York General Business Law § 399-ddd(2)(e). The settlement agreement also obligates EmblemHealth to implement a Corrective Action Plan and conduct a comprehensive risk assessment of security risks associated with the mailing of policy documents to policyholders. EmblemHealth must also review and revise its policies and procedures based on the results of said risk assessment. EmblemHealth is also tasked with cataloguing, reviewing, and monitoring its mailings and making all reasonable efforts to ensure:
- All relevant workforce members are adequately trained for each discrete job function that they are tasked with or assigned to perform related to mailings;
- Report any known violations of EmblemHealth’s policies and procedures related to HIPAA’s Minimum Necessary Standard to the appropriate EmblemHealth official and correct any known violations as soon as practicable; and
- Report security incidents involving the loss or compromise of New York residents’ information to the Attorney General’s office that might not otherwise trigger the reporting requirements under state law for a period of three years.
Schneiderman used the settlement announcement as a platform to advocate for stronger security laws and hold businesses accountable for protecting consumer’s personal data. His position falls squarely within the growing trend of Attorneys General across the country who are becoming increasingly active in their privacy enforcement efforts.