• About Us
  • Events
  • Newsletter Sign Up
  • Spotlight Series
  • Webinars
  • WhitePapers
  • Videos
  • Podcasts
    1. Cybersecurity

    Insurer to Pay $2.2M HIPAA Settlement for Disclosure of Unsecured ePHI

    Jan. 19, 2017
    MAPFRE Life Insurance Company of Puerto Rico has agreed to settle potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by paying $2.2 million.

    MAPFRE Life Insurance Company of Puerto Rico has agreed to settle potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by paying $2.2 million.

    The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the HIPAA settlement this week and highlighted that the settlement demonstrates the importance of implementing safeguards for electronic protected health information (ePHI).

    Along with the $2.2 million settlement, MAPFRE Life Insurance Company of Puerto Rico also agreed to settle potential noncompliance with the Privacy and Security Rules by implementing a corrective action plan.

    “With this resolution amount, OCR balanced potential violations of the HIPAA rules with evidence provided by MAPFRE with regard to its present financial standing. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans,” HHS OCR officials stated in a press release.

    According to a HHS OCR investigation, on September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department where it was left overnight.  

    “According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. The report noted that the breach affected 2,209 individuals. MAPFRE informed OCR that it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached,” HSS OCR stated in the press release.

    OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically, “a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014.” MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake, according to HHS.

    “Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” OCR director Jocelyn Samuels said in a prepared statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

    Continue Reading

    Sponsored Recommendations

    Six Cloud Strategies to Combat Healthcare's Workforce Crisis

    The healthcare workforce shortage is a complex challenge, but cloud communications offer powerful solutions to address it. These technologies go beyond filling gaps—they are transformin...

    Transforming Healthcare with AI Powered Solutions

    AI-powered solutions are revolutionizing healthcare by enhancing diagnostics, patient monitoring, and operational efficiency - learn how to integrate these innovations into your...

    Enhancing Healthcare Through Strategic IT and AI Innovations

    Learn how strategic IT and AI innovations are transforming healthcare - join Tomas Gregorio as he explores practical applications that enhance clinical decision-making, optimize...

    The Intersection of Healthcare Compliance and Security in the Age of Deepfakes

    As healthcare regulations struggle to keep up with rapid advancements in AI-driven threats like deepfakes, the security gaps have never been more concerning.