Fear the States: New York Settles Information Security Proceeding with EmblemHealth for $575,000

New York’s Attorney General Eric T. Schneiderman’s Press Release of March 6, 2018 is an indicator to health plans that they ignore state information security rules at their peril. New York settled its investigation into EmblemHealth with regard to its breach of Social Security Numbers of over 80,000 subscribers for $575,000 plus a Corrective Action Plan that will cost EmblemHealth significantly in legal and consultant’s fees, in hours required for compliance and reputation loss among its subscribers and potential subscribers.

The breach occurred the old-fashioned way, through a paper mailing in which the mailing label displayed the subscriber’s Health Insurance Claim Number, which included the subscriber’s Social Security Number.

Health plans that do business in New York State are vulnerable to regulatory enforcement three ways. The unauthorized disclosure of Social Security Numbers by a health plan, an entity covered by HIPAA, could have been the subject of a proceeding by the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”), but attorney general also have jurisdiction to bring HIPAA violation proceedings and Mr. Schneiderman moved more quickly than OCR. In addition, New York proscribes breaches of personal information such as Social Security Numbers under General Business Law § 399-ddd (2) (e).  If the protected personal information is in digital form, the cybersecurity regulations (24 NYCRR 500 et. seq.) of the New York Department of Financial services, which supervises health insurance companies, comprise strict regulations for protection of data like Social Security Numbers.

In other words, health plans have a three-headed regulatory beast it must tame. Fines and penalties under the three regulatory schemes can be cumulative and state attorneys general, not constrained by anti-regulation ideology, may not hesitate to bring penalty proceedings in the interest of protection of the vital information of state residents.  That poses a significant financial risk, as well as a business risk to the extent that healthcare providers and subscribers may think twice about engaging with a health plan that does not assiduously safeguard account numbers, medical information or Social Security numbers.

If you have questions regarding information management and compliance with state and federal regulations for health plan data, please contact Kenneth N. Rashbaum.