New York Attorney General settles HIPAA allegations with a health insurance company

State Issues State Attorney General Privacy/Cyber Risk & Data Security Settlement

On March 6, the New York Attorney General announced a settlement with a healthcare provider for an alleged violation of the Health Insurance Portability Accountability Act (HIPAA) concerning a mailing error, which resulted in the disclosure of over 80,000 social security numbers. According to the announcement, in October 2016, the healthcare provider discovered that its mailing envelopes for certain health policies inadvertently included the customers’ social security numbers as part of the “Health Insurance Claim Number” printed on the envelope. Under the terms of the settlement, the healthcare provider is required to pay a $575,000 fine, review its policies and procedures, and implement a corrective action plan which includes an analysis of the security risks associated with the mailing of policy documents.