As breaches go, the theft of a USB drive with ePHI on 2,209 insurance members doesn’t sound like a lot, but The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a settlement with MAPFRE Life Insurance Company of Puerto Rico because of what they found when they investigated the breach report on the incident.
MAPFRE has agreed to settle potential noncompliance with the Privacy and Security Rules by paying $2.2 million and implementing a corrective action plan.
According to OCR, on September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB drive containing ePHI was stolen from its IT department where it was left overnight. The theft occurred on August 5, 2011. According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers for 2,209 individuals.
OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically, a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.
The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE.