Saturday, January 21, 2017

HIPAA privacy violations, stolen USB drive costs MAPFRE $2.2M

MAPFRE Life Insurance Company of Puerto Rico has accepted to pay a fine of $2.2 million and enter into a settlement with the HHS Office of Civil rights for violations of the HIPAA privacy violations and security rules that resulted in a breach in the year of August 2011.

MAPFRE had a USB drive consisting of protected health information stolen from its information technology department. Data on the drive involved member names, dates of birth and Social Security numbers, impacting 2,209 individuals.

But it was prior representations to OCR of MAPFRE’s HIPAA agreement that got the company in trouble, with an actual level of non-compliance, in accordance to OCR that triggers multi-million dollar fines.

“The investigation of OCR disclosed MAPFRE’s noncompliance with the HIPAA privacy violations rules, particularly a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until the day of Sept. 1, 2014,” OCR asserts in a statement. “MAPFRE also failed to execute or delayed implementing other corrective measures it informed OCR it would undertake.”

In a resolution agreement that MAPFRE accepted, OCR points out the company further failed to execute a security awareness and training program for all workers, failed to implement encryption and failed to execute reasonable and suitable policies and procedures to comply with HIPAA privacy violations rule.

Now, MAPFRE will step into a 3-year corrective action program that involves a risk analysis, a risk management plan and an initiative to implement procedures to evaluate environmental or operational changes that could impact the security of electronic protected health information.

In the last year, OCR has importantly ramped up HIPAA enforcement and the size of financial penalties, having determined that the industry wasn’t taking protection of patient data seriously enough and required a wake-up call.

After Advocate Health Care in Illinois was hit in the year of August 2016 with a $5.5 million fine—the largest to date—OCR director Jocelyn Samuels had a stern message for the industry. “We expect this settlement sends a powerful message to covered entities that they must include in a comprehensive risk analysis and risk management to make sure that individuals’ electronic protected health information is safe and secure.”

The resolution agreement and corrective action plan are available here.

 

No comments:

Post a Comment