Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

The Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What lessons can be learned?

The fine stems from the mailing of a pamphlet last September to 13,336 Dual Eligible Medicare beneficiaries which inadvertently displayed the recipient’s Medicare beneficiary number. Ricardo Rivera Cardona explained that TSS’s contract with the agency allows the latter to impose fines of $500-$100,000 per member. In addition, the fine included $100,000 for TSS’s alleged failure to cooperate with the investigation. For more about this case, see the article written by Marianne Kolbasuk McGee at GovInfoSecurity.com: Huge Fine in Local Puerto Rico Breach: Local Official Promises More Hefty Fines in Other Cases.

In addition to the fines, TSS has been suspended from enrolling new Dual Eligible Medicare beneficiaries and is required to notify affected individuals that they have the right to disenroll from TSS.

All this brings to mind the old adage, “An ounce of prevention is worth a pound of cure.” Providers, health plans, and other HIPAA covered entities should have a process to check the content of mailings containing protected health information as well as how the outside of the mailing looks before sending mailings to patients/beneficiaries. All too often, mailings to patients/beneficiaries contain information on other patients/beneficiaries or, as appears to be the case in this instance, highly sensitive information is visible to anyone handling the envelope. Unfortunately, many copy/mailing jobs are contracted out to companies that don’t have a review process in place. Even if they did, would they recognize a problem when they saw it?

TSS has the right to request a hearing to challenge the findings and proposed penalties.

For more information in the Louisville, KY; Lexington, KY or New Albany, IN areas, contact Erin McMahon.

For more information in the Memphis, TN; Nashville, TN or Jackson, MS areas, contact Charles Key.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (Address never made public)

Name

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Wyatt HiTech Law Blog

A legal blog about consumer and business data privacy and security in a high tech world

Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Share this:

Like this:

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.