The US DHS Office of Civil Rights has announced the second HIPAA fine of the year, with a whopping $2.2 million dollar settlement against a Puerto Rico based life insurance company known as MAPFRE Life, a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.
According to the OIG press release, on September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department, where the device was left without safeguards overnight. According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. The report noted that the breach affected 2,209 individuals.
OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.
“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” said OCR Director Jocelyn Samuels. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE
OCR’s guidance on breach notification may be found at http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html