New Jersey is following New York in fining EmblemHealth after a breach affecting more than 6,000 patients occurred in October 2016.

EmblemHealth is a New York-based, health-insurance provider.

Back in March 2018, the New York Attorney General announced a $575,000 settlement for the breach that occurred in 2016. Now New Jersey is fining EmblemHealth for the same breach at $100,000.

The 2016 breach affected more than 81,000 policy holders nationwide, but only 6,443 were in New Jersey.  The breach was a mailing error where Health Insurance Claim Numbers of plans were printed outside of the envelopes.

Attorney General Gruber S. Grewal of New Jersey reminded everyone that patients entrust their own insurance companies with their private information.  The insurance companies have a duty to keep that information private.  “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designated to prevent similar breaches at this company in the future,” Grewal said.

The state found that EmblemHealth violated the New Jersey Identify Theft Prevention Act, the New Jersey Consumer Fraud Act, and the Health Insurance Portability and Accountability Act (HIPAA).  This is due to the fact that the Health Insurance Claim Numbers (HICNs) that were printed on the outside of envelopes were created using Social Security Numbers of consumers.

In addition to the $100,000 fine, the settlement also requires that EmblemHealth implement a variety of internal compliance reforms to help protect such private information.  These reforms include not using HICNs that include Social Security Numbers.  EmblemHealth will also facilitate the formal transfer of employees’ responsibilities to other qualified employees when one leaves the company.  EmblemHealth will hire a training vendor and implement new privacy and security training modules for new hires and annually after that.

Finally, EmblemHealth plans to notify customers and the Division of Consumer Affairs for the next three years if and when a breach of security affecting personal information of New Jersey customers occurs.

If you are worried about little incidents like this causing big issues and forcing you to pay large fines, you can join HIPAAgps today and learn new ways to help you protect your patients’ information.