Third Time’s a Charm: Triple-S and its Data Breaches

Triple-S, a health insurance holding company in Puerto Rico, entered into a Resolution Agreement and Corrective Action Plan under which it has agreed to pay a $3.5 million penalty to OCR. This is its third time in the data breach spotlight. In 2010 its name first graced The Wall of Shame in connection with a hacked server. (Its affiliates have graced the Wall of Shame multiple times, too.) Last year, the Puerto Rico insurance regulators sanctioned Triple-S with a $6.8 million fine (ultimately reduced to $1.5 million), and suspension of its ability to enroll dual eligibles, in connection with a data breach consisting of mailing materials to members with insurance identification numbers visible on the outside of envelopes (together with names and addresses — PHI). Now, the same facts underlying the Puerto Rico action, together with other similar breaches, have resulted in the OCR action against the company.  See the OCR presser and settlement agreement. From the presser:

After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:

• Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;

• Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;

• Use or Disclosure of more PHI than was necessary to carry out mailings;

• Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and

• Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:

• A risk analysis and a risk management plan;

• A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;

• Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and

• A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.

The noncompliance sounds pedestrian, run-of-the-mill. The takeaway here is that the federales take this stuff seriously, even if it takes them a while to reach a resolution with a covered entity.

Also recently, Lahey Clinic entered into a settlement agreement with the agency (and paid an $850,000 fine), this one relating to the theft of an unsecured, unencrypted laptop about four years ago, which was remotely wiped within 24 hours of it having gone missing. The word from Lahey is as follows:

Patient confidentiality is our highest priority. The medical device that was stolen in 2011 contained limited data for approximately 600 patients. The data consisted of names, birth dates and information relating to a specific imaging test. It did not contain social security, financial, or any other patient information. Upon learning of the theft, we immediately remotely deleted data off the device, and notified each patient. This was an isolated incident and in the more than four years since the device was stolen, we have no indication that any patients’ personal data relating to this situation was accessed. We had a number of security measures in place at the time and have taken steps since to improve upon those measures.

Similarly, the OCR presser on Triple-S says:

Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.

If these statements may be taken at face value, they lend credence to the oft-repeated mantra of OCR, which is that the government is here to help. Yes, fines will be levied, but the ultimate goal is making sure this stuff doesn’t happen again — not collection of more fines.

Take another look at the types of noncompliance in the Triple-S case noted above — and at the elements of the compliance plan to be implemented. At this late date, HIPAA compliance, encompassing taking care of all of these sorts of things, should be second nature to every covered entity and business associate in the land.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Image by Arturo Pardavila III via Flickr CC