Attorney General Schneiderman of New York announced a $575,000 settlement with EmblemHealth after a 2016 data breach exposed more than 80,000 Social Security Numbers.

The breach in 2016 occurred by a mailing error where Health Insurance Claim Numbers of 81,122 EmblemHealth plan members were printed on the outside of envelopes.  The issue with this is that the Health Insurance Claim Numbers were created using plan members’ Social Security Numbers.  This means that potentially anyone who came into contact with these envelopes might have a plan member’s Social.

EmblemHealth is one of the largest health plans in the United States.  The fact that EmblemHealth is a health care entity means this is a HIPAA breach.  It may be a few years before the Office for Civil Rights concludes their investigation into the breach.

Attorney General Schneiderman said “The careless handling of social security numbers is never acceptable. New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

Schneiderman also reiterated how important the “Stop Hacks and Improve Electronic Data Security Act” (or “SHIELD Act”) is to the New York public.  It was created in 2017 to help protect New Yorkers’ personal information.

Data breaches are on the rise, and it appears that Attorney General Schneiderman is going to continue working against that trend.

In addition to paying a $575,000 penalty, EmblemHealth agreed to implement a Corrective Action Plan and conduct a comprehensive risk assessment.  EmblemHealth will also need to provide a report of the findings from the risk assessment to the Office of the Attorney General within 180 days. Part of the corrective action plan requires EmblemHealth to report security incidents, within the next three years, involving the loss or compromise of New York residents’ information to the Attorney General’s office that might not otherwise trigger the reporting requirements of New York State law.

To help protect your organization from HIPAA fines and Attorney General settlements, join HIPAAgps today.