Impermissible Disclosure of ePHI Lead to $2.2 Million Settlement

MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – has agreed a $2.2 million settlement, with the U.S. Department of Health and Human Services’ Office for Civil Rights, to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The penalty settlement relates to the disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a USB storage device (pen drive) was left overnight in the IT Department from where it was illegally taken. The USB device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The USB device was not securely protected by a password and data on the device were not encrypted.

MAPFRE Life made the device theft known to OCR, which began an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals.

MAPFRE Life is the second HIPAA-covered body to settle potential HIPAA breaches with OCR in 2017. Last week, OCR revealed a settlement of $475,000 had been agreed with Presense Health for violations of the HIPAA Breach Notification Rule.

OCR has enhances its enforcement of HIPAA Rules in the last few years, with more settlements agreed last year than in any other. In 2016, 12 healthcare organizations settled potential HIPAA violations with OCR, along with one civil monetary penalty (CMP)..