- New York Attorney General Eric Schneiderman announced that a $575,000 settlement had been reached in the EmblemHealth data breach case, following a mailing error incident that exposed 81,122 Social Security numbers.
The health plan discovered on October 13, 2016 that it had mailed policy holders a paper copy of their Medicare Prescription Drug Plan Evidence of Coverage (EOC Mailing). The EOC Mailing included a mailing label that had the policyholder’s Social Security number on it.
A mailing identifier number is typically assigned, EmblemHealth explained in its announcement of the original incident.
“Our investigation found that, while preparing the Evidence of Coverage documents for mailing, [Health Insurance Claim Numbers] were inadvertently included in the electronic file sent to EmblemHealth’s vendor and were then disclosed on the external mailing label that was affixed to the package,” the data breach notification letter said.
HICNs incorporate individuals’ Social Security numbers, EmblemHealth stated. Individuals’ names and addresses appeared on the mailing label along with the nine digits of their Social Security number “that were listed as the package number (PKG#) located above the barcode,” the health plan stated.
The Attorney General’s office explained that EmblemHealth “failed to comply with many of the standards and procedural specifications as required by HIPAA.” Printing a mailing with visible Social Security numbers also violates New York law.
EmblemHealth must pay the $575,000 and implement a corrective action plan, which will include having a thorough risk analysis. The health plan will need to ensure that all “security risks associated with the mailing of policy documents to policyholders” are accounted for in the risk analysis.
EmblemHealth also must catalogue, review, and monitor its mailings, making “reasonable efforts” to ensure the following:
- All relevant workforce members are adequately trained for each discrete job function that they are tasked with or assigned to perform related to mailings
- Report any known violations of EmblemHealth policies and procedures relating to the HIPAA Minimum Necessary Standard
- For a period of three (3) years, report security incidents involving the loss or compromise of New York residents' information to the Attorney General’s office that might not otherwise trigger the reporting requirements of New York State law
“The careless handling of social security numbers is never acceptable,” Schneiderman said in a statement. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”
Along with the state settlement announcement, Schneiderman also stressed the importance of the previously introduced “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act).
New York Senator David Carlucci and Assemblymember Brian Kavanagh sponsored the bill, which would require companies to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data.
Personal information that would require notification should it become breached includes information covered under HIPAA regulations, biometric data, and username-and-password combinations.
“New York's data breach notification law needs to be updated keep pace with current technology,” the bill’s summary stated. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information.”
Assemblymember Kavanagh said when the bill was introduced in 2017 that data security practice deficiencies at big businesses have put millions of New Yorkers at risk.
“I am proud to work with Attorney General Schneiderman on this important legislation to require businesses to take appropriate steps to safeguard our data,” Kavanagh stated. “In this technological age, we cannot allow companies to be careless with our personal information. I look forward to working with Senator Carlucci and our colleagues in the legislature to enact this bill into law.”