New York health insurance company EmblemHealth has reached a settlement with the New York State Attorney General’s office and will pay a $575,000 financial penalty and enter into a corrective action plan for a mailing error that exposed 81,122 Social Security numbers, the website HealthData Management reports.
The insurer in 2016 mailed paper copies of its Medicare Prescription Drug Plan Evidence of Coverage to its members, but the member’s full SSN was printed on the envelop instead of a unique mailing identifier.
“The careless handling of Social Security numbers is never acceptable,” New York AG Eric Schneiderman said in a statement. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately.”
As part of the corrective action plan, EmblemHealth will conduct a comprehensive risk assessment and follow up on those findings. The company also will review and revise policies and procedures, conduct adequate training of workforce members related to mailings and for three years will report to Schneiderman all security incidents involving the loss or compromise of residents’ information.
Schneiderman over the years has sanctioned several health organizations that have had a data breach, including:
• Health information technology vendor CoPilot Provider Support Services in June 2017 paid a $130,000 fine and agreed to improve its notification and compliance programs after the firm did not notify more than 220,000 patients in a timely manner that protected health information had been compromised.
• University of Rochester Medical Center settled a breach by paying a $15,000 fine and entering into a corrective action plan after a nurse who was leaving the organization asked for a list of patients she had treated and received a spreadsheet with 3,043 patient names, addresses and diagnoses.