EmblemHealth fined after exposing social security numbers

NEW YORK CITY – One of the nation’s largest health insurance companies was slapped with a half-million dollar penalty after exposing the social security numbers of some 55,000 Medicare recipients in New York.

Attorney General Eric T. Schneiderman agreed to a settlement with EmblemHealth after the company admitted to a mailing error that resulted in 81,122 social security numbers being disclosed on a mailing – 55,664 were New York residents.

On October 13, 2016, the company sent a paper copy of their Medicare Prescription Drug Plan Evidence of Coverage that included a mailing label with the policyholder’s social security number on it. Normally, all mailings include a unique mailing identifier that is printed on the envelope. However, in this case, the mailing inadvertently included the insured’s Health Insurance Claim Number, which incorporated the insured’s social security number.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

In addition to paying a $575,000 penalty, under the settlement EmblemHealth must implement a Corrective Action Plan that includes a thorough risk analysis of security risks associated with the mailing of policy documents to policyholders, and submit a report of those findings to the Attorney General’s office within 180 days of the settlement.

Attorney General Schneiderman also reiterated his call to improve New York’s weak and outdated security laws with the “Stop Hacks and Improve Electronic Data Security Act” (or “SHIELD Act”). Introduced by the Attorney General in November 2017, the SHIELD Act would comprehensively protect New Yorkers’ personal information from the growing number of data breaches and close major gaps in New York’s data security laws, without putting an undue burden on businesses.

This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kathleen McGee.