HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Emblem Health Mailing Error Exposes Members’ Social Security Numbers

Emblem Health, one of the largest health plans in the United States, has discovered a printing error has resulted in some members’ Social Security numbers being printed on the outside of envelopes during a recent mailing.

The New York-based health insurer says the privacy breach affects members of its subsidiary company, Group Health Inc. (GHI).

The error was made while mailing Medicare Prescription Drug Plan Evidence of Coverage documents to health plan members. Normally, all mailings include a unique mailing identifier which is printed on the envelope. These ID numbers are randomly generated and are included on the envelopes to help keep track of mailings.

However, for the latest mailing, an error was made that resulted in members Health Insurance Claim Number (HICN) being included in the electronic file that was sent to the health plan’s mailing vendor. That number was then printed on the envelopes instead of the mailing identifier. HICN numbers are formed from members’ 9-digit Social Security numbers.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Affected members therefore had their Social Security numbers printed on the outside of the envelopes along with their name and address. The HICN numbers were listed as a package number on the envelope (PKG#), not as a HCIN number or Social Security number. Even if the envelopes were viewed, it would likely be unclear that the number was the same as members’ Social Security numbers.

However, since SSNs were exposed, Emblem Health is taking no chances and has offered all affected members free enrolment in AllClear’s credit monitoring and identity repair services. Members will also be protected by a $1 million identity theft insurance policy and the services will be available for a period of two years rather than the standard 12 months.

Affected members are now being notified of the breach by mail and have been advised to sign up for the services and ensure that the label from the Evidence of Coverage mailing is removed and disposed of in a secure manner.

Emblem Health will be reviewing its policies and procedures and implementing new controls to ensure that errors of this nature are prevented in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.