Second HIPAA Enforcement Action of 2017 – Failure to Safeguard Electronic Health Information
Puerto Rico Life Insurance Company failed to safeguard ePHI on USB Storage Device
$2.2 million penalty plus corrective action plan
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has announced a $2.2 million Health Insurance Portability and Accountability Act (HIPAA) settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE Life”) regarding the impermissible disclosure of unsecured electronic protected health information (ePHI). On September 29, 2011, MAPFRE Life reported to OCR that a USB data storage device described as a pen drive containing the protected health information (PHI) of 2,209 individuals was stolen from its IT department where it was left overnight. The pen drive included the complete names, dates of birth and Social Security numbers of the affected individuals. As a result of this report, OCR investigated and determined that MAPFRE Life did not conduct a thorough assessment of the risks and threats to the confidentiality, integrity, and availability of ePHI and as a result failed to implement security measures sufficient to reduce these vulnerabilities to a reasonable and appropriate level, including the failure to encrypt ePHI. MAPFRE did not utilize encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. OCR also determined that MAPFRE Life failed to implement reasonable and appropriate policies and procedures to comply with the requirements to safeguard ePHI and did not implement a security awareness and training program for all members of its workforce.
MAPFRE Life agreed to settle for $2,204,182 and enter into a three-year Corrective Action Plan aimed at addressing the noncompliance discovered by OCR during its initial investigation. In its press release, OCR noted that this high settlement amount balances potential violations of the HIPAA rules with MAPFRE’s financial standing. MAPFRE Life is a multinational insurance company headquartered in Spain that underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.
This settlement, the second HIPAA settlement of 2017, emphasizes the need for covered entities to protect all types of PHI.
Earlier this month, Presence Health, an Illinois health care network, settled with OCR for $475,000 and agreed to a two-year corrective action plan resulting from a delay in issuing breach notifications following the breach of unsecured PHI. A Client Alert regarding this earlier settlement is available here. Together, these settlements signal that 2017 may be another highly active year for HIPAA enforcement.