HIPAA Violations, Stolen USB Drive Costs Insurer $2.2M

MAPFRE Life Insurance Company of Puerto Rico has agreed to pay a $2.2 million fine and enter into a settlement with the HHS Office of Civil rights for violations of the HIPAA privacy and security rules that resulted in a breach in August 2011.

MAPFRE had a USB drive containing protected health information stolen from its IT department. Data on the drive included member names, dates of birth and Social Security numbers, affecting 2,209 persons.

But it was prior representations to OCR of MAPFRE’s HIPAA compliance that got the company in trouble, with an actual level of non-compliance, according to OCR, that triggers multi-million dollar fines.

“OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until Sept. 1, 2014,” OCR contends in a statement. “MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.”

In a resolution agreement that MAPFRE accepted, OCR notes the company further failed to implement a security awareness and training program for all employees, failed to implement encryption and failed to implement reasonable and appropriate policies and procedures to comply with HIPAA.

Now, MAPFRE will enter into a three-year corrective action program that includes a risk analysis, a risk management plan and an initiative to implement processes to evaluate environmental or operational changes that could affect the security of electronic protected health information.

In the past year, OCR has significantly ramped up HIPAA enforcement and the size of financial penalties, having determined that the industry was not taking protection of patient data seriously enough and needed a wake-up call.

After Advocate Health Care in Illinois was hit in August 2016 with a $5.5 million fine—the largest to date—OCR director Jocelyn Samuels had a stern message for the industry. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ electronic protected health information is secure.”

MAPFRE did not respond to multiple attempts by Health Data Management seeking a response to OCR’s charges.

The resolution agreement and corrective action plan are available here.

For reprint and licensing requests for this article, click here.
Security risk Data and information management Data security Law and regulation Compliance
MORE FROM DIGITAL INSURANCE