A Second State Hits EmblemHealth With Breach FineCase Involves Social Security Numbers Exposed in Mailings
For the second time this year, health insurer EmblemHealth has been hit with a state financial penalty in connection with a 2016 breach that exposed Social Security numbers on mailings to more than 81,000 plan members.
The New Jersey attorney general Gurbir Grewal on Dec. 10 announced a $100,000 settlement in the case. Back in March, the breach resulted in a $575,000 settlement with New York's attorney general's office.
The two settlements highlight the importance of preventing health information mishaps regardless of the medium as well as the potential for serious enforcement actions by states.
"State AGs will continue to ramp up enforcement of data protection regulations as breaches rise, along with public awareness of potential risks," says Kate Borten, president of privacy and security consultancy The Marblehead Group. "Healthcare covered entities and business associates must pay as much attention to state laws as to HIPAA."
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions for violations of the HIPAA privacy and security rules.
State Residents Affected
Grewal said EmblemHealth agreed to pay the civil penalty and implement corrective actions in the breach, which affected 6,443 New Jersey customers. The New York settlement noted the breach affected 56,000 residents of that state.
New York-based EmblemHealth is of the nation's largest not-for-profit health insurers. Its subsidiary, Group Health Inc., is also a party to the latest settlement.
On Oct. 3, 2016, a vendor serving the health insurer mailed its Medicare Part D prescription drug plan's "evidence of coverage" form to 81,122 of its customers, according to the New Jersey settlement's consent order.
The label affixed to the mailing improperly included each customer's Medicare Health Insurance Claim Number, New Jersey settlement documents note. The number incorporates the nine digits of the customer's Social Security number as well as an alphabetic or alphanumeric beneficiary identification code.
During the investigation into the incident, New Jersey officials determined that after the departure of the EmblemHealth employee who typically prepared the mailings, the task was assigned to a team manager of EmblemHealth's Medicare products group, who received minimal training specific to the task and worked unsupervised.
"Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file," the consent order says.
Ultimately, that vendor, United Parcel Service Mailing Innovations, printed out mailing labels containing the member HICNs, which were affixed to the outside of the envelopes sent to EmblemHealth members.
The New Jersey investigation resulted in allegations that EmblemHealth violated the New Jersey Identity Theft Prevention Act, the New Jersey Consumer Fraud Act and HIPAA.
"Health insurers entrusted with their customers' sensitive personal information have a duty to avoid improper disclosures," Grewal says. "EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future."
In addition to paying the financial penalty, EmblemHealth has agreed to a number of corrective actions, including:
- No longer using HICNs that include Social Security numbers and/or Medicare Beneficiary Identifiers to identify customers in mailing files. Instead, the company is converting to a system that employs unique identifiers to identify its customers.
- Agreeing to require the formal transfer of an outgoing employee's responsibilities to another qualified employee or third party. The transition process will include necessary training.
- Engaging a training vendor and implementing new privacy and security training modules for employees upon hiring, and on an annual basis.
In a statement provided to Information Security Media Group, EmblemHealth says that upon discovering the problem in 2016, the company immediately took action to identify affected members and put protective measures in place.
"We are committed to providing the best service to our customers and have worked closely with the attorney general to enhance our procedures and to give our members peace of mind," EmblemHealth says.
So far, no cases of any member information being accessed or used improperly have been reported, the company claims.
Other New Jersey Actions
The New Jersey attorney general's office took action in another health data security case earlier this year.
In April, the office smacked medical practice Virtua Medical Group with a $418,000 penalty for a 2016 breach involving a vendor's misconfiguration of a file transfer protocol server that exposed health data of about 1,600 patients on the internet.
That was followed in November by a settlement with the vendor involved in that same Virtua Medical Group incident, ATA Consulting LLC, which was based in Georgia and did business as Best Medical Transcription.
The settlement with Best Medical Transcription included a $200,000 financial payment and banning the company's owner from managing or owning a business in the state.
New York Settlements
New York's attorney general has also been active in health data breach-related cases.
In addition to its own settlement in March with EmblemHealth, the New York attorney general's office in August signed a $200,000 HIPAA settlement and corrective action plan with The Arc of Erie County after a breach impacting more than 3,000 individuals.
The incident at the center of the settlement involved protected health information that was accessible on the internet via search engines for nearly three years.
The New York attorney general's office also signed a $1.15 million settlement with Aetna after the health insurer revealed the HIV status of approximately 2,460 New York members through a mailing in July 2017 sent to 12,000 individuals. The envelopes' oversize transparent address windows revealed text confirming the members' HIV status.
The New York settlement with Aetna also involved a second breach involving mailings related to heart study.
"I expect that we will see a continued increase in AG actions as they build their experience and because privacy and security is a hot area of enforcement right now," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
Meanwhile, at the federal level, the HIPAA enforcement agency, the Department of Health and Human Services' Office for Civil Rights, has announced eight enforcement actions this year with financial penalties totaling $25.6 million (see HIPAA Case: Hospital Fined for Ex-Employee's Access to PHI).
Lessons to Learn
The EmblemHealth and Aetna cases offer important reminders to covered entities and business associates, Greene says. "CEs and BAs should consider a robust privacy audit program that includes mailings," he notes.
"Organizations can count on human error, whether it is a misalignment of an envelope window, an address mismatch in a mail merge spreadsheet, or too much information included on a printed address label, and should consider building audit systems to find and correct such mistakes."