EmblemHealth Pays New Jersey $100,000 Penalty for HIPAA Violations

New Jersey state attorney general’s office penalized the health insurance provider EmblemHealth the amount of $100,000 for a data breach in 2016 that compromised the protected health information (PHI) of over 6,000 New Jersey plan members.

EmblemHealth mailed Medicare Part D Prescription Drug Plan Evidence of Coverage paperwork to its plan members on October 3, 2016. The beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which show Social Security numbers, were printed on the mailing labels. The documents were delivered to over 81,000 policy members, including 6,443 New Jersey residents.

The New Jersey Division of Consumer Affairs scrutinized the breach and found procedural, policy and training failures. A trained employee handled prior mailings of Evidence of Coverage documents, however when that person left EmblemHealth, a team manager who only received little task-specific training handled the mailing duties without supervision.

That person provided a data file to mailing vendor of EmblemHealth without removing the HCINs first. Thus, the HCINs were also printed on the mailing labels. Such mistake violated the HIPAA, the New Jersey Consumer Fraud Act and the New Jersey Identity Theft Prevention Act.

Health insurance companies have a responsibility to avoid improper disclosures of their plan members’ sensitive personal data. EmblemHealth failed to fulfill its duties to its members in this case. Hence, a settlement fine was issued to prevent the company from committing similar mistakes in the future.

Besides the financial penalty, EmblemHealth agreed to amend its policies and procedures to avoid further disclosure of PHI of plan members. Changes include not using HCINs or Medicare Beneficiary Identifiers for mailings.

EmblemHealth will additionally make sure to have a proper transfer process when passing responsibilities of outgoing staff to another EmblemHealth employee or third party, and to provide the necessary training.

All incoming staff will also need to finish further privacy and security training modules including the refresher trainings conducted every year. The New Jersey Division of Consumer Affairs will be overseeing EmblemHealth in the next three years and should be notified in case of breaches of New Jersey customers’ PHI.

This settlement case demonstrates that the Division of Consumer Affairs is committed to protecting consumer privacy, and will hold responsible careless businesses when it comes to handling personal data.

New Jersey is a highly active enforcer of HIPAA Rules. In 2018, it has issued four settlements to resolve HIPAA Rules violations. Besides the EmblemHealth HIPAA fine, Virtua Medical Group ($417,816), New Jersey Best Transcription Medical ($200,000) and Aetna ($365,211.59) had settled fines for HIPAA violations in 2018.