Caribbean Business reports that Triple-S Salud has been fined nearly $6.8 million for violations of the federal Health Insurance Portability & Accountability Act (HIPAA). Triple-S Salud is a licensee of Blue Cross Blue Shield of Puerto Rico and handles managed care for Medicare enrollees.
The penalty handed down by the Puerto Rico government’s Medical Insurance Administration (ASES by its Spanish acronym) against the unit of San Juan-based Triple-S Management Corp. stem from a probe into a privacy breach last year.
ASES Director Ricardo Rivera said Triple-S Salud was fined $6.7 million improperly handled private health records of more than 13,330 patients in written correspondence to them. Another $100,000 fined was tacked on after the company provided vague or incomplete information during the probe, he said.
The sanctions also bar Triple-S Salud from signing up more beneficiaries for its Platino line until it presents a corrective plan to avoid such HIPAA violations.
Read more on Caribbean Business.
A notice on ASES’s web site (in Spanish) explains that on September 20, 2013, Triple-S Salud sent a mailing that exposed Medicare Health Insurance Claim Numbers in the mailing addresses. They became aware of their error on September 23, 2013.
This breach had been added to HHS’s public breach tool last month and I had commented on it here. It’s still not clear to me what the other 70,000+ entry for Triple-S Salud on that same date in HHS’s breach tool refers to.
As I’ve noted before, Triple-S Salud has had some big breaches, and this was not their first fine – although it is certainly their largest fine. It’s important to note that this fine does not appear to have been issued by HHS/OCR but by the government of Puerto Rico. This appears to be the largest monetary penalty ever issued for a HIPAA breach, unless I’m forgetting something?
Post corrected to reflect it was health insurance claim numbers and not account numbers.
Update: Anna Prior of the WSJ reports on the penalty, here.