The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Emblem Health Mailing Error Exposes Members’ Social Security Numbers

Posted By on Nov 16, 2016

Emblem Health, one of the largest health plans in the United States, has discovered a printing error has resulted in some members’ Social Security numbers being printed on the outside of envelopes during a recent mailing.

The New York-based health insurer says the privacy breach affects members of its subsidiary company, Group Health Inc. (GHI).

The error was made while mailing Medicare Prescription Drug Plan Evidence of Coverage documents to health plan members. Normally, all mailings include a unique mailing identifier which is printed on the envelope. These ID numbers are randomly generated and are included on the envelopes to help keep track of mailings.

However, for the latest mailing, an error was made that resulted in members Health Insurance Claim Number (HICN) being included in the electronic file that was sent to the health plan’s mailing vendor. That number was then printed on the envelopes instead of the mailing identifier. HICN numbers are formed from members’ 9-digit Social Security numbers.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Affected members therefore had their Social Security numbers printed on the outside of the envelopes along with their name and address. The HICN numbers were listed as a package number on the envelope (PKG#), not as a HCIN number or Social Security number. Even if the envelopes were viewed, it would likely be unclear that the number was the same as members’ Social Security numbers.

However, since SSNs were exposed, Emblem Health is taking no chances and has offered all affected members free enrolment in AllClear’s credit monitoring and identity repair services. Members will also be protected by a $1 million identity theft insurance policy and the services will be available for a period of two years rather than the standard 12 months.

Affected members are now being notified of the breach by mail and have been advised to sign up for the services and ensure that the label from the Evidence of Coverage mailing is removed and disposed of in a secure manner.

Emblem Health will be reviewing its policies and procedures and implementing new controls to ensure that errors of this nature are prevented in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist