[BreachExchange] New York State Attorney General Settles Data Breach With Health Plan In An Unprecedented Settlement With HIPAA Compliance Undertones

[Audrey McNeil]

https://www.jdsupra.com/legalnews/new-york-state-attorney-general-settles-
94401/

New York Attorney General Eric Schneiderman has been in hot pursuit of
organizations in his state that fail to maintain the security and privacy
of personal information. On March 6, 2018, the Attorney General’s office
announced that it had reached a settlement with New York health plan,
EmblemHealth, whereby EmblemHealth will pay a $575,000 fine related to
violation of New York state privacy laws.

The settlement follows the health plan’s discovery that it had erroneously
sent a mailing to policyholders that included a label on the envelope with
the policyholder’s Social Security number.  The New York Attorney General
noted this disclosure resulted in a breach of not only the Health Insurance
Portability and Accountability Act of 1996 and its implementing regulations
(“HIPAA”) but also New York’s General Business Law Section 399-ddd(2)(e),
which prohibits visibly printing Social Security numbers on envelopes.

In addition to paying $575,000 to settle the matter with the Attorney
General’s office, EmblemHealth entered into a corrective action plan with
the state, requiring it to conduct a risk analysis of the security risks
within EmblemHealth’s information technology infrastructure and within 180
days of the settlement report those risks to the Attorney General’s office.
EmblemHealth must also review its policies and procedures and advise the
Attorney General’s office of any action that it takes arising out of that
review. If it takes no action, it must provide a detailed narrative as to
why no action is necessary. EmblemHealth, as part of the settlement, must
also track its mailings processes to ensure all employees involved are
appropriately trained for the jobs for which they are assigned related to
the mailings. Additionally, the corrective action plan also requires
EmblemHealth to report any known violations of policies and procedures
relating to the minimum necessary standard set forth in the HIPAA Privacy
Rule to the appropriate Emblem Health official and to remediate any
violations as soon as practicable.

While the New York Attorney General and other state attorneys general have
taken action against businesses involved in data breaches, this case is
particularly interesting because it is an effort to settle HIPAA
violations. The settlement specifically cites violations of the HIPAA
Privacy Rule and the corrective action plan includes HIPAA compliance
measures. While the Health Information Technology for Economic and Clinical
Health Act (“HITECH Act”) granted state attorneys general the authority to
enforce HIPAA through civil actions brought on behalf of state residents,
until now this authority has not been publicly invoked to any noteworthy
degree. The EmblemHealth case is an important reminder that covered
entities and business associates, in addition to complying with HIPAA, must
also ensure that they abide by state privacy laws that prohibit the
improper disclosure of certain personal information. While HIPAA covered
entities and business associates can continue to expect scrutiny from and
enforcement by the Department of Health and Human Services, Office of Civil
Rights, they must be prepared for scrutiny and action from state regulators
and enforcers as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180412/44ce78bb/attachment.html>