The New York Attorney General recently announced a $575,000 settlement with EmblemHealth, one of the largest health plans in the United States, after a “mailing error” resulted in the accidental disclosure of more than 80,000 social security numbers.
In October of 2016, EmblemHealth mailed over 80,000 policyholders, including approximately 55,000 New York residents, paper copies of their Medicare Prescription Drug Plan Evidence of Coverage. The mailing label affixed to each envelope included the policyholder’s Health Insurance Claim Number, which incorporated their social security number. According to the Attorney General’s Office, EmblemHealth’s actions violated many standards and procedures required by HIPAA. It also violated New York’s General Business Law § 399-ddd(2)(e), which prohibits printing an individual’s social security number “on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.”
As part of the negotiated settlement with the Attorney General’s office, EmblemHealth agreed to implement a Corrective Action Plan that included a thorough risk analysis of security risks associated with the mailing of policy documents, and submit a report of its findings to the Attorney General’s office within 180 days of the settlement. It also agreed to review and revise its policies and procedures based on the results of the assessment, and notify the Attorney General’s office of any action it takes. In addition, EmblemHealth pledged to make reasonable efforts to ensure that all relevant employees are adequately trained to avoid similar disclosures in future mailings, to report any known violations of EmblemHealth policies and procedures relating to the HIPAA Minimum Necessary Standard, and remediate all violations as soon as practicable. Lastly, for the next three years, EmblemHealth must report the loss or compromise of New York residents’ information to the Attorney General’s office, even in situations that would not otherwise trigger New York State reporting requirements.
So, while this breach only costs EmblemHealth $575,000 to the AG’s office, it will cost significantly more in terms of future compliance time and expense. EmblemHealth’s decision to settle, the amount of the settlement, and its agreement to be scrutinized by the Attorney General all speak volumes about the publicity risks associated with these kinds of privacy violations. First, the same subsection of the General Business Law discussed above limits judicial fines for violations arising from a single occurrence to $100,000 for the first offense. Fines for the second offense are also limited to $250,000. Second, the General Business Law provides would-be violators with an out: the provisions will not be “deemed . . . violated” if the entity demonstrates, by a preponderance of the evidence, that the violation was unintentional “and resulted from a bona fide error made notwithstanding . . . procedures reasonably adopted to avoid such error.”
It is unclear whether any of the individual policyholders will be able to maintain direct actions against EmblemHealth, provided they can correlate damages to the breach. Thanks to Evan King for his contribution to this post. Please email Brian Gibbons with any questions.