NJ Fines Health Insurance Provider $100K For Personal Information Breach

File Photo

TRENTON – New York-based health insurance provider EmblemHealth, Inc. is paying the state of New Jersey a hefty fine for disclosing confidential personal information of over 6,000 New Jersey customers.

Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced on Dec. 10 that EmblemHealth will pay NJ a $100,000 civil penalty. The terms of the settlement also stipulate that the insurance company must also implement a variety of significant internal compliance reforms to better safeguard the personal information of its policy holders, according to the Attorney Generals’ office. EmblemHealth’s subsidiary, Group Health Incorporated, is also a party to the settlement.

Following a breach incident in October 2016, affecting over 81,000 policy holders nationwide, 6,443 in New Jersey, the state launched an investigation into the matter.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said Attorney General Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

When the company’s vendor sent out a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to its more than 81,000 customers on October 3, 2016, the mailing label also included each customer’s HICN. An HICN incorporates the nine digits of one’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. The Attorney General’s office reported that the HICN was identified at the “Package ID#” on the mailing label.

“Consumers need to know that when companies ask for or require highly sensitive personal information – such as their Social Security numbers — the information will be stored securely and utilized discretely,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.  “This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data.”

The state’s investigation found that the incident occurred after the EmblemHealth employee who typically prepared the Evidence of Coverage mailings left and was replaced by a team manager of EmblemHealth’s Medicare Products Group with minimal training in that area.

Before forwarding the data file to the print vendor, this employee failed to remove the patient HICNs from the electronic data file.

The state found that EmblemHealth violated the New Jersey Identity Theft Prevention Act, the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act (HIPAA).

The settlement agreement also stipulates that:

  • EmblemHealth will no longer use HICNs that include Social Security numbers and/or Medicare Beneficiary Identifiers to identify customers in mailing files
  • They will facilitate the formal transfer of an employee’s responsibilities to another qualified employee upon one’s departure, incorporating the necessary training.
  • The company will also engage a training vendor and implement new privacy and security training modules for employees upon hiring, and on an annual basis after that.
  • EmblemHealth also plans to notify not only its customers but, for the next three years, the Division of Consumer Affairs when any breach of security affecting the personal information of New Jersey customers takes place.