A recent case in New York shows physicians how expensive a major data breach can be from a financial, reputational and legal standpoint.
Mailing error results in breach, penalties, and a renewed focus on the proposed SHIELD Law.
Recently, the New York Attorney General announced that a settlement had been reached with EmblemHealth and its wholly owned subsidiary - Group Health Incorporated (collectively, “Emblem”) as a result of a mailing error that resulted in nearly 82,000 social security numbers being disclosed. The penalties that were assessed by the State of New York included the following: a $575,000 penalty, implementation of a Corrective Action Plan, and conducting a comprehensive risk assessment.
“EmblemHealth is one of the largest health plans in the United States. On October 13, 2016, it discovered that it had mailed 81,122 policyholders, including 55,664 New York residents, a paper copy of their Medicare Prescription Drug Plan Evidence of Coverage (“EOC Mailing”) that included a mailing label with the policyholder’s social security number on it. Normally, all mailings include a unique mailing identifier that is printed on the envelope. However, in this case, the mailing inadvertently included the insured's Health Insurance Claim Number, which incorporated the insured's social security number," New York Attorney General Eric T. Schneiderman said in a statement.
Ironically, HIPAA/the HITECH Act, require an annual, comprehensive risk assessment in order to assess whether or not the confidentiality, availability and integrity of both personally identifiable information (“PII”) and protected health information (“PHI”) were maintained with the appropriate technical, administrative and physical safeguards. Emblem was required to safeguard its members’ PII and PHI by utilizing appropriate safeguards.
It failed to comply with a plethora of standards and procedures set forth in HIPAA/the HITECH Act. By having the individuals’ social security numbers exposed on the EOC, not only were federal law violated but New York General Business Law §399-ddd(2)(e) as well. The HIPAA Minimum Necessary Standard (45 CFR §§ 164.502(b), 164.514(b) was not utilized and requires that minimal information be disclosed in a given circumstance. For example, instead of the full Social Security Number, the last four digits should have been included on the mailing. Better yet, a unique patient identifier could have been utilized.
In its press announcement, Schneiderman also reiterated his commitment to build upon New York’s security laws with the “Stop Hacks and Improve Electronic Data Security Act” (“SHIELD Act”). The goal of the SHIELD Act, which is different than the similarly named federal equivalent being proposed that relates to cybersecurity and power grids, is to protect New Yorkers’ from the increasing number of data breaches and close major gaps in existing security laws without imposing significant burdens on businesses.
For physicians, the Emblem breach serves as a reminder of the following:
1. PHI breaches are expensive from a financial, reputational and legal standpoint;
2. State laws and agencies can also impose penalties; and
3. Make sure that the Minimum Necessary Standard is being used in all verbal and written communications.