- New Jersey Attorney General Gurbir Grewal fined health insurance vendor EmblemHealth $100,000, for its 2016 health data breach of more than 6,000 New Jersey residents. The New York-based insurer’s subsidiary Group Health is also party to the settlement.
The settlement resolves the state investigation into one of the country’s largest, nonprofit insurers, which was launched after a breach involving EmblemHealth’s vendor.
In October 2016, the vendor sent a letter to customers with their Medicare Part D Prescription Drug Plan’s Evidence of Coverage. However, the mailing label also included Medicare beneficiary identification numbers, which was made up of the nine digits of a patient’s Social Security number.
According to officials, the identification number was labeled as the “Package ID” on the mailing label. The employee who prepared the mailings failed to remove the patient HICNs from the electronic data file, before it was sent to the print vendor.
The investigation found EmblemHealth was at fault, as the employee who previously handled Evidence of Coverage mailings left the company and was replaced by someone with minimal training in that department.
New Jersey found EmblemHealth violated the state’s Identity Theft Prevention Act, HIPAA and the New Jersey Consumer Fraud Act.
“Consumers need to know that when companies ask for or require highly sensitive personal information – such as their Social Security numbers — the information will be stored securely and utilized discretely,” Paul Rodríguez, Acting Director of New Jersey’s Division of Consumer Affairs, said in a statement.
“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” Grewal said in a statement. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”
Under the settlement terms, EmblemHealth is also required to reform several compliance functions to improve the security around its policyholder data. Further, the insurer may no longer use HICNs that stem from Social Security numbers or Medicare Beneficiary Identifiers to identify customers in mailings.
EmblemHeath will also need to incorporate formal training, including the transfer of an employee’s responsibilities to another when there is a departure and will need to use a training vendor. Officials will also need to use privacy and security training modules for new hires, which must be repeated each year.
For the next three years, the insurer must also notify customers and the Division of Consumer Affairs if or when a security breach impacting New Jersey residents occurs.
EmblemHealth already settled with New York for $575,000 in March 2018. The fine reflects the larger number of New York residents impacted.
This is the second settlement between New Jersey and a healthcare vendor is just a month. The Attorney General settled with the vendor behind the 2016 Virtua Health patient data breach for $200,000 on November 2.