The health insurance provider EmblemHealth has been penalized $100,000 by New Jersey for a 2016 data breach that disclosed the protected health information (PHI) of over 6,000 New Jersey plan members.
On October 3, 2016, EmblemHealth dispatched Medicare Part D Prescription Drug Plan Proof of Coverage documents to its members.
The mailing labels contained beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were dispatched to over 81,000 policy members, 6,443 of whom were New Jersey inhabitants.
The New Jersey Division of Consumer Affairs probed the breach and identified policy, procedural, and training breakdowns. Earlier mailings of Evidence of Coverage documents were managed by a trained worker, but when that person left EmblemHealth, dispatching responsibilities were passed to a team manager who had only been provided minimal task-specific training and worked independently.
That individual dispatched a data file to EmblemHealth’s dispatching vendor without first getting rid of HCINs, which led to the HCINs being printed on dispatching labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.
“Health underwriters entrusted with their customers’ confidential private information have a duty to avoid inappropriate disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its responsibilities to its clients in this instance, and I am delighted that our resolution contains measures intended to avoid similar breaches at this firm in the future.”
In addition to the financial fine, EmblemHealth has agreed to make modifications to its policies and procedures to avoid more breaches of plan members’ PHI. Those actions include the use of exclusive patient identifiers for mailings instead of HCINs or Medicare Beneficiary Identifiers.
EmblemHealth will also make sure that a proper transfer procedure takes place when the duties of leaving staff are passed on to other EmblemHealth workers or third parties, and that all necessary training will be provided.
All incoming workers will also be required to complete additional secrecy and safety training modules and refresher training sessions will be carried out yearly. The New Jersey Division of Consumer Affairs will be observing EmblemHealth over the next three years and should be informed of any more breaches of the PHI of New Jersey clients.
“This resolution should assist as a reminder that we are devoted to protecting consumer secrecy, and will hold accountable any companies that are negligent in the processing of such private data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.
New Jersey has been extremely active as an enforcer of HIPAA Laws and has agreed four resolutions in 2018 to settle violations of HIPAA Laws. In addition to the EmblemHealth HIPAA penalty, New Jersey has resolved HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.