DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NJ Fines Health Insurance Provider $100K For Personal Information Breach

Posted on December 10, 2018 by Dissent

Kimberly Bosco reports:

New York-based health insurance provider EmblemHealth, Inc. is paying the state of New Jersey a hefty fine for disclosing confidential personal information of over 6,000 New Jersey customers.


Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced on Dec. 10 that EmblemHealth will pay NJ a $100,000 civil penalty. The terms of the settlement also stipulate that the insurance company must also implement a variety of significant internal compliance reforms to better safeguard the personal information of its policy holders, according to the Attorney Generals’ office.

EmblemHealth’s subsidiary, Group Health Incorporated, is also a party to the settlement.

Read more on Jersey Shore Online.  

This is the 2016 breach that had affected more than 80,000 policyholders.  New York settled with EmblemHealth in March of this year for $575,000, but NY had many more residents affected than New Jersey.  The press release from the NJ Attorney General’s Office appears below.  You can access a copy of the consent order here.

TRENTON – Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced today that health insurance provider EmblemHealth, Inc. has agreed to pay the State a $100,000 civil penalty to resolve allegations it improperly disclosed the highly confidential personal information of more than 6,000 New Jersey customers. 


Under terms of the settlement, EmblemHealth, one of the nation’s largest non-profit health insurance plans, also must implement a variety of significant internal compliance reforms designed to better safeguard the personal information of its policy holders. EmblemHealth’s subsidiary, Group Health Incorporated, is also a party to the settlement. Both companies are headquartered in New York. 


The agreement announced today resolves the State’s investigation into an October 2016 breach incident in which EmblemHealth improperly displayed the Medicare Health Insurance Claim Numbers (HICN), which mirror individual Social Security numbers, belonging to more than 81,000 policy holders, 6,443 of whom reside in New Jersey. 


“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said Attorney General Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.” 


“Consumers need to know that when companies ask for or require highly sensitive personal information – such as their Social Security numbers — the information will be stored securely and utilized discretely,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data.” 


The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.


The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)


During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file. 


The Division’s investigation resulted in allegations that EmblemHealth violated the New Jersey Identity Theft Prevention Act, the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act (HIPAA).


Among other settlement terms, EmblemHealth has agreed to no longer use HICNs that include Social Security numbers and/or Medicare Beneficiary Identifiers to identify customers in mailing files. Instead, the company will convert to a system that employs unique identifiers to identify its customers.


EmblemHealth also has agreed to require the formal transfer of an outgoing employee’s responsibilities to another qualified employee or third party, and that the transition process will include necessary training. Further, the company has agreed to engage a training vendor and implement new privacy and security training modules for employees upon hiring, and on an annual basis after that. 


In addition, EmblemHealth has agreed to notify not only its customers but, for the next three years, the Division of Consumer Affairs when any breach of security affecting the personal information of New Jersey customers takes place.


Investigator Walter R. Kaminski of the Office of Consumer Protection within the Division of Consumer Affairs conducted this investigation.
Deputy Attorney General Lara J. Fogel, along with former Deputy Attorney General Michelle T. Weiner of the Government & Healthcare Fraud Section within the Division of Law, represented the State in this matter. 


Follow the New Jersey Attorney General’s Office online at Twitter, Facebook, Instagram, Flicker & YouTube. The social media links provided are for reference only. The New Jersey Attorney General’s Office does not endorse any non-governmental websites, companies or applications.

Related posts:

  • A.G. Schneiderman Announces $575,000 Settlement With EmblemHealth After Data Breach Exposed Over 80,000 Social Security Numbers
  • Horizon Blue Cross Blue Shield Pays $1.1M For Customer Data Breach
  • New Jersey Settles Charges Against Tidbit Developer; Software Accessed New Jersey Computers Without Users’ Knowledge or Consent
  • NJ Settles Charges Against Business Associate Responsible for Virtua Medical Patient Data Breach: Vendor Owner Pays $200,000 and is Barred From Owning or Managing Any Business in NJ Again
Category: ExposureHealth DataOf NotePaperU.S.

Post navigation

← New Zealand Privacy Commissioner releases annual report
Rockaway Twp. police computer hacker still unknown; leaders want answers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.