Insurer to Pay $2.2M HIPAA Settlement for Disclosure of Unsecured ePHI | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Insurer to Pay $2.2M HIPAA Settlement for Disclosure of Unsecured ePHI

January 19, 2017
by Heather Landi
| Reprints

MAPFRE Life Insurance Company of Puerto Rico has agreed to settle potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by paying $2.2 million.

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the HIPAA settlement this week and highlighted that the settlement demonstrates the importance of implementing safeguards for electronic protected health information (ePHI).

Along with the $2.2 million settlement, MAPFRE Life Insurance Company of Puerto Rico also agreed to settle potential noncompliance with the Privacy and Security Rules by implementing a corrective action plan.

“With this resolution amount, OCR balanced potential violations of the HIPAA rules with evidence provided by MAPFRE with regard to its present financial standing. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans,” HHS OCR officials stated in a press release.

According to a HHS OCR investigation, on September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department where it was left overnight.  

“According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. The report noted that the breach affected 2,209 individuals. MAPFRE informed OCR that it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached,” HSS OCR stated in the press release.

OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically, “a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014.” MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake, according to HHS.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” OCR director Jocelyn Samuels said in a prepared statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Survey: Infrastructure, Interoperability Key Barriers to Global HIT Development

A new survey report from Black Book Research on global healthcare IT adoption and records systems connectivity finds nations in various phases of regional electronic health record (EHR) adoption. The survey results also reveal rapidly advancing opportunities for U.S.-based and local technology vendors.

Penn Medicine Opens Up Telehealth Hub

Philadelphia-based Penn Medicine has opened its Center for Connected Care to centralize the health system’s telemedicine activities.

Roche to Pay $1.9B for Flatiron Health

Switzerland-based pharmaceutical company Roche has agreed to pay $1.9 billion to buy New York-based Flatiron Health Inc., which has both an oncology EHR and data analytics platform.

Financial Exec Survey: Interoperability Key Obstacle to Value-Based Payment Models

Momentum continues to grow for value-based care as nearly three-quarters of healthcare executives report their organizations have achieved positive financial results from value-based payment programs, to date, according to a new study from the Healthcare Financial Management Association (HFMA).

Cerner, Children's National to Help UAE Pediatric Center with Health IT

Al Jalila Children's Specialty Hospital, the only pediatric hospital in the United Arab Emirates, has entered into an agreement with Washington, D.C.-based Children's National Health System to form a health IT strategic partnership.

Telemedicine Association Names New CEO

The American Telemedicine Association (ATA) has named Ann Mond Johnson its new CEO, replacing Jon Linkous who stepped down suddenly last August after 24 years as the organization’s CEO.