A privacy breach has been experienced by the Puerto Rico Health Plan Triple-S Advantage. The breach, which affected 36,000 plan members, was due to a mailing mistake which saw sensitive information of plan subscribers disclosed to incorrect people.
The released information exposed was minimal and did not include Social Security numbers or financial information; however, plan susscribers’ ID numbers were impermissibly released along with names, times of service, and treatment codes.
The mailing mistake occurred in November but was not found by Triple-S until December 5, 2017. A thorough investigation was begun to determine how the error occurred and action has now been implemented to ensure that similar mistakes do not occur in future mailings to plan members and healthcare suppliers.
In its substitute breach notice, Triple-S said that its mailing processes have been amended and that those processes have now been tested. Another mailing run has been carried out and copies of the original letters have now been issued to the correct addresses. Affected plan subscribers have also been alerted of the exposure of their PHI by first class mail.
Since plan member ID subscribers have been exposed, affected people have been advised to check their Explanation of Benefits statements in detail to make sure only services that have been received are included. Since there is potential for malicious actors to amend addresses, plan subscribers have been advised to check to make sure regular correspondence from Triple S is still arriving.
Triple S stated that it has not received any indication that any PHI has been accessed or misused by unauthorized people.
The breach report filed to the Department of Health and Human Services’ Office for Civil Rights (OCR) indicates 36,305 plan subscribers were affected by the mailing mistake.
While all privacy breaches are unwelcome, this incident will be especially worrying for Triple-S. In 2015, after an investigation into privacy breaches by the HHS’ Office for Civil Rights (OCR), Triple S Management Corporation – the parent company of Triple-S Advantage – settled a number of HIPAA violations with OCR for $3.5 million. Triple S was also fined $1.5 million by the Puerto Rico Health Insurance Administration.
The multi-million dollar settlement with OCR was to account for serial violations of HIPAA Rules and multiple compliance failures that lead to eight data breaches by Triple S Management Corporation subsidiaries from 2010-14.
The company will remain on OCR’s radar and the latest violation is certain to be very carefully reviewed for any evidence of noncompliance with HIPAA Rules.