OCR announces first multimillion dollar HIPAA settlement of the year

An insurer agreed to a multimillion dollar HIPAA settlement in the Office for Civil Rights’ (OCR) second HIPAA settlement of the year. The agency looks to be on track to continue last year’s trend of increased activity and high-profile multimillion dollar settlements.

MAPFRE Life Insurance Company of Puerto Rico, an organization that underwrites and administers individual and group health insurance plans, will pay OCR $2.2 million and comply with a corrective action plan (CAP) to settle charges it violated HIPAA in connection with a 2011 breach that affected 2,209 individuals. MAPFRE filed a breach report with OCR after it discovered that a USB data storage device containing protected health information (PHI) had been stolen from its IT department. The device was unencrypted and was left overnight without physical safeguards. PHI on the device included:

• Dates of birth
• Names
• Social Security numbers

MAPFRE claimed to conduct risk analyses and have a risk management plan in place but OCR’s investigators discovered no evidence of these activities. Investigators also found that MAPFRE did not encrypt laptops or removable storage media until 2014 and did not implement other corrective actions it had previously told OCR it would take.

In its statement, OCR emphasized that covered entities (CE) and business associates (BA) must conduct risk analyses and address any identified threats. Failure to conduct risk analyses and poor or nonexistent risk management are common HIPAA pain points. Many of last year’s record-setting HIPAA settlements hinged on the failure of CEs or BAs to comply with risk analysis and management requirements.