State of NJ Announces Settlement with EmblemHealth Over Sensitive Personal Information Breach
Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced today that health insurance provider EmblemHealth, Inc. has agreed to pay the State a $100,000 civil penalty to resolve allegations it improperly disclosed the highly confidential personal information of more than 6,000 New Jersey customers.
Under terms of the settlement, EmblemHealth, one of the nation’s largest non-profit health insurance plans, also must implement a variety of significant internal compliance reforms designed to better safeguard the personal information of its policy holders. EmblemHealth’s subsidiary, Group Health Incorporated, is also a party to the settlement. Both companies are headquartered in New York.
The agreement announced today resolves the State’s investigation into an October 2016 breach incident in which EmblemHealth improperly displayed the Medicare Health Insurance Claim Numbers (HICN), which mirror individual Social Security numbers, belonging to more than 81,000 policy holders, 6,443 of whom reside in New Jersey.
“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said Attorney General Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”
“Consumers need to know that when companies ask for or require highly sensitive personal information – such as their Social Security numbers -- the information will be stored securely and utilized discretely,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data.”
The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.
The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)
During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file.
The Division’s investigation resulted in allegations that EmblemHealth violated the New Jersey Identity Theft Prevention Act, the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act (HIPAA).
Among other settlement terms, EmblemHealth has agreed to no longer use HICNs that include Social Security numbers and/or Medicare Beneficiary Identifiers to identify customers in mailing files. Instead, the company will convert to a system that employs unique identifiers to identify its customers.
EmblemHealth also has agreed to require the formal transfer of an outgoing employee’s responsibilities to another qualified employee or third party, and that the transition process will include necessary training.
Further, the company has agreed to engage a training vendor and implement new privacy and security training modules for employees upon hiring, and on an annual basis after that.
In addition, EmblemHealth has agreed to notify not only its customers but, for the next three years, the Division of Consumer Affairs when any breach of security affecting the personal information of New Jersey customers takes place.