36,000 Affected in Major Triple-S Advantage Data Breach

by | Feb 19, 2018

A privacy breach has been experienced by the Puerto Rico Health Plan Triple-S Advantage. The breach, which affected 36,000 plan members, was due to a mailing mistake which saw sensitive information of plan subscribers disclosed to incorrect people.

The released information exposed was minimal and did not include Social Security numbers or financial information; however, plan susscribers’ ID numbers were impermissibly released along with names, times of service, and treatment codes.

The mailing mistake occurred in November but was not found by Triple-S until December 5, 2017. A thorough investigation was begun to determine how the error occurred and action has now been implemented to ensure that similar mistakes do not occur in future mailings to plan members and healthcare suppliers.

In its substitute breach notice, Triple-S said that its mailing processes have been amended and that those processes have now been tested. Another mailing run has been carried out and copies of the original letters have now been issued to the correct addresses. Affected plan subscribers have also been alerted of the exposure of their PHI by first class mail.

Since plan member ID subscribers have been exposed, affected people have been advised to check their Explanation of Benefits statements in detail to make sure only services that have been received are included. Since there is potential for malicious actors to amend addresses, plan subscribers have been advised to check to make sure regular correspondence from Triple S is still arriving.

Triple S stated that it has not received any indication that any PHI has been accessed or misused by unauthorized people.

The breach report filed to the Department of Health and Human Services’ Office for Civil Rights (OCR) indicates 36,305 plan subscribers were affected by the mailing mistake.

While all privacy breaches are unwelcome, this incident will be especially worrying for Triple-S. In 2015, after an investigation into privacy breaches by the HHS’ Office for Civil Rights (OCR), Triple S Management Corporation – the parent company of Triple-S Advantage – settled a number of HIPAA violations with OCR for $3.5 million. Triple S was also fined $1.5 million by the Puerto Rico Health Insurance Administration.

The multi-million dollar settlement with OCR was to account for serial violations of HIPAA Rules and multiple compliance failures that lead to eight data breaches by Triple S Management Corporation subsidiaries from 2010-14.

The company will remain on OCR’s radar and the latest violation is certain to be very carefully reviewed for any evidence of noncompliance with HIPAA Rules.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy