[BreachExchange] Insurer Slapped with $2.2 Million HIPAA Settlement

[Audrey McNeil]

http://www.databreachtoday.com/insurer-slapped-22-
million-hipaa-settlement-a-9643

In the final days of the Obama administration, the Department of Health and
Human Services has issued its second HIPAA enforcement action for 2017.
HHS' Office for Civil Rights has entered a $2.2 million settlement with a
Puerto Rican insurance company in the wake of its investigation of a 2011
breach involving a stolen unencrypted USB drive that affected only about
2,000 individuals.

The substantial penalty for the breach stems from the lack of timely
corrective action after the breach by MAPFRE Life Insurance Co. of Puerto
Rico, OCR explains in a statement.

"OCR's investigation revealed MAPFRE's noncompliance with the HIPAA rules,
specifically, a failure to conduct its risk analysis and implement risk
management plans, contrary to its prior representations, and a failure to
deploy encryption or an equivalent alternative measure on its laptops and
removable storage media until September 1, 2014," OCR notes. "MAPFRE also
failed to implement or delayed implementing other corrective measures it
informed OCR it would undertake."

OCR Director Jocelyn Samuels notes: "Covered entities must not only make
assessments to safeguard ePHI, they must act on those assessments as well.
OCR works tirelessly and collaboratively with covered entities to set clear
expectations and consequences."

In setting the size of the penalty, OCR notes that its resolution agreement
also "balanced potential violations of the HIPAA rules with evidence
provided by MAPFRE with regard to its present financial standing."

MAPFRE is a subsidiary company of MAPFRE S.A., a multinational insurance
company headquartered in Spain. MAPFRE underwrites and administers a
variety of insurance products and services in Puerto Rico, including
personal and group health insurance plans, OCR notes.

Breach Investigation Details

OCR's settlement with MAPFRE stems from a breach report the insurance
company filed on Sept. 29, 2011, indicating that a USB data storage "pen
drive" device containing electronic protected health information was stolen
from MAPFRE's IT department where it was left overnight.

Compromised data included names, dates of birth and Social Security numbers
of 2,209 individuals. OCR notes that MAPFRE said it was able to identify
the breached ePHI by reconstituting the data on the computer on which the
USB data storage device was attached.

Common Issues With a 'Twist'?

The latest HIPAA enforcement action by OCR focuses on a weakness - the lack
of a risk analysis - that's been spotlighted in many previous HIPAA
settlements, notes Adam Greene, a privacy attorney at the law firm Davis
Wright Tremaine. But this settlement also notes MAPFRE's alleged lack of
timely corrective action in the wake of the breach, he notes.

"While the breach gets the attention, OCR's press release highlights the
lack of a risk analysis and risk management plan and the alleged failure to
follow through on representations to OCR," Greene says. "Be careful what
you promise to OCR, because you will need to follow through."

Privacy attorney Kirk Nahra notes: "This is a 'normal' breach settlement
with the added twist that the company had problems before and didn't fix
them. One bit of advice: Do what you commit to doing with OCR or any other
regulatory/enforcement agency, or pray hard that nothing bad happens."

Companies always need to meet their compliance obligations, Nahra adds.
"But there is no bigger risk than telling an agency something and then not
doing it."

More Settlements Soon?

The settlement with MAPFRE is the second HIPAA enforcement action OCR has
taken so far in 2017. That follows a record year in 2016, when OCR issued
far more settlements - 13, plus one civil monetary penalty case - than in
previous years.

But with the transition to the Trump administration later, it could be a
while before OCR takes additional enforcement action, Greene notes.

"I expect that after January 20th, we may have a lull in published
settlements as new leadership comes on board at OCR," he says. "From there,
it is anyone's guess as to whether the pace of settlements will return to
what we saw in 2016, or whether a new political appointee had different
enforcement priorities."

On Jan. 9, OCR issued a $475,000 financial settlement and corrective action
plan with Chicago-based Presence Health tied to the organization's tardy
notification for a 2013 paper records breach affecting about 800
individuals.

Corrective Action Plan

OCR's corrective action plan calls for the insurance company to:

Conduct a risk analysis and implement a risk management plan;
Implement a process for evaluating environmental and operational changes;
Update its policies and procedures and distributing them to its workforce.

In the corrective action plan, OCR notes that MAPFRE's updated policies and
processes must address:

Uses and disclosures of PHI;
Workforce training;
Security management process;
Device and media controls;
Security rule policies and procedures;
Encryption and decryption;
Workstation use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170118/ae087eb9/attachment.html>