The New York Attorney General has just announced a settlement with EmblemHealth for $575,000 following a HIPAA breach at the organisation in 2016. The breach saw that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes, thus exposing this confidential PHI to anyone who saw the mail.
All mailings from the organisation normally include a unique patient identifier on the envelope. However, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Therefore, anybody who had access to the Health Insurance Claim numbers could steal the identities of clients of the clinic.
The New York Attorney General Eric T. Schneiderman announced the settlement earlier this month. In his announcement, he explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The organisation clearly violated HIPAA and compromised the integrity of PHI with this blunder.
The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).
The hefty fine is not the only consequence for violating HIPAA. EmblemHealth must adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The organisation has 180 days to report the results of the risk analysis to the Attorney General’s office to prevent further punishment. The results of the risk analysis must be used to update policies and practices related to mailing documents to customers.
In light of the breach, EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.
According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. In light of this breach, in which so many people were affected, there will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.
“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”