Insurer to Pay $2.2M HIPAA Settlement for Disclosure of Unsecured ePHI | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Insurer to Pay $2.2M HIPAA Settlement for Disclosure of Unsecured ePHI

January 19, 2017
by Heather Landi
| Reprints

MAPFRE Life Insurance Company of Puerto Rico has agreed to settle potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by paying $2.2 million.

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the HIPAA settlement this week and highlighted that the settlement demonstrates the importance of implementing safeguards for electronic protected health information (ePHI).

Along with the $2.2 million settlement, MAPFRE Life Insurance Company of Puerto Rico also agreed to settle potential noncompliance with the Privacy and Security Rules by implementing a corrective action plan.

“With this resolution amount, OCR balanced potential violations of the HIPAA rules with evidence provided by MAPFRE with regard to its present financial standing. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans,” HHS OCR officials stated in a press release.

According to a HHS OCR investigation, on September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department where it was left overnight.  

“According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. The report noted that the breach affected 2,209 individuals. MAPFRE informed OCR that it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached,” HSS OCR stated in the press release.

OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically, “a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014.” MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake, according to HHS.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” OCR director Jocelyn Samuels said in a prepared statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.

Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.