Puerto Rico life insurance company to pay $2.2M HIPAA settlement

MAPFRE Life Insurance Company of Puerto Rico agreed to implement a corrective action plan and pay $2.2 million to HHS' Office for Civil Rights to settle claims it violated HIPAA.

MAPFRE, a subsidiary of Spain-based MAPFRE S.A., underwrites and administers health insurance plans and products in Puerto Rico.

The settlement is based on MAPFRE's "impermissible disclosure of unsecured electronic protected health information."

On Sept. 29, 2011, MAPFRE filed a report with the OCR claiming a USB device was left in its IT department unguarded overnight and was subsequently stolen. The USB device contained the ePHI of 2,209 patients, including their complete names, dates of birth and Social Security numbers. In the report, MAPFRE told the OCR it was able to identify the breached ePHI by reconstituting the data on the computer the USB device was attached to.

After investigating the incident, the OCR determined that contrary to MAPFRE's previous declarations, MAPFRE did not conduct a proper risk analysis or implement risk management plans. The OCR also found MAPFRE did not deploy encryption on its laptops and removable storage devices until Sept. 1, 2014. Additionally, MAPFRE either delayed implementing or failed to implement other corrective actions it told OCR it would complete.

"Covered entities must not only make assessments to safeguard ePHI, they must act on these assessments as well," said OCR Director Jocelyn Samuels. "OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences."

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars