Updated: Sep 23, 2020
On Tuesday, March 6, 2018, New York State Attorney General Eric T. Schneiderman announced a settlement with health care provider EmblemHealth following a mailing error involving over 81,000 policyholders. EmblemHealth will pay a fine of $575,000 and implement a three-year Corrective Action Plan which includes a comprehensive risk assessment.
On October 13, 2016. EmblemHealth discovered that it printed the social security number of 81,122 policyholders on the outer envelope of each set of coverage documents. 55,664 of the policy holders were New York residents. The problem was compounded by the mailing vendor being provided with a list that included the social security numbers – a data element which is to be protected from those who do not need it, according to HIPAA law. In this situation, a mailing vendor would not need social security numbers. In addition, printing of social security numbers on a postcard, mailer or envelope violates New York General Business Law § 399-ddd(2)(e).
EmblemHealth has agreed to abide by the penance project penalties set for by the New York Attorney General agreement. EmblemHealth will pay a fine of $575,000, review and revise all policies and procedures related to security risk assessments, notify the Attorney General of any gaps in risk assessment, ensure all workforce members are appropriately trained in regards to mailing best practices, will participate in a 3 year Corrective Action Plan that includes reporting on the loss or compromise of New York residents’ information to the New York Attorney General for items that would not otherwise trigger a notification and agrees to report any known violations of HIPAA Minimum Necessary Standard as set forth in 45 C.F.R. § 164.502(b) and § 164.514(b) and remediate any known violations. In other words, Emblem Health has been notified that it must to a much better job of securing its systems and protecting its policy holder data.
Emblem Health acknowledged the need for better snails.
Convergency LLC is an IT consulting and advisory firm that specializes in cloud architecture, cloud migration, cloud audit and security risk management services.