Huge Fine in Puerto Rico BreachLocal Official Promises More Hefty Fines in Other Cases
A government agency in Puerto Rico has levied a record $6.8 million HIPAA sanction against a local health insurer for a 2013 breach involving a mailing error that affected only about 13,000 beneficiaries.
See Also: The 5 Foundational DevOps Practices
The financial penalty levied in the case against insurer Triple S Salud is higher than any HIPAA-related penalty issued to date by the Department of Health and Human Services' Office for Civil Rights, the federal enforcement agency for HIPAA.
Ricardo Rivera Cardona, the top official at the Puerto Rican government agency that issued the HIPAA fine, tells Information Security Media Group that more sanctions could be on the way for other organizations that fail to safeguard individuals' protected health information. The agency, The Puerto Rico Health Insurance Administration, a government insurance office that's also called by its Spanish language acronym "ASES," is investigating two other HIPAA-related cases, he notes.
"We are sending a message that we are here to enforce," he says. "There are no exceptions, no matter how big or small an institution is. ASES will make sure patients have access to medical services, and that their patient information is also protected. We are adamant about this."
In an 8-K document filed on Feb. 18 with the Securities and Exchange Commission, Triple-S Management Corp. disclosed that its insurance subsidiary, Triple S Salud, was hit with the civil monetary fine of nearly $6.8 million, plus other administrative sanctions, as a result of a 2013 breach involving 13,336 of the company's Dual Eligible Medicare beneficiaries. The Dual Eligible Medicare coverage is offered to older, low-income individuals who are eligible for Medicare and Medicaid.
Triple S disclosed in the filing that in addition to the monetary fines, the ASES sanctions include the suspension of all new enrollments of Dual Eligible Medicare beneficiaries and the obligation to notify affected individuals of their right to disenroll.
The filing by Triple S says that on Sept. 20, 2013, the company mailed beneficiaries a pamphlet that inadvertently displayed the Medicare health insurance claim number. "That claim number is the unique [identifier] assigned by the Social Security Administration to each Medicare beneficiary and is considered protected health information under HIPAA," according to the filing.
"Triple S conducted an investigation and reported the incident to the appropriate Puerto Rico and federal government agencies," the filing states. "It then received and complied with requests for information from ASES concerning our Dual Eligible Medicare beneficiaries" affected by the breach, according to the document. The company says it issued a breach notification through the local media and notified all affected beneficiaries by mail. It says it also is offering those affected 12 months of free credit monitoring and identity protection through an independent provider.
Triple S Salud did not reply to a request for further comment.
Rivera Cardona, ASES' executive director, says the monetary sanctions levied against Triple S equal a fine of $500 for each of the 13,336 Dual Eligible Medicare beneficiaries affected by the breach. In additional, ASES smacked on another $100,000 penalty because Triple S did not cooperate with ASES' investigation into the incident, including "not supplying information requested [by ASES] and providing misleading information," Rivera Cardona says.
While Rivera Cardona acknowledges that the ASES sanctions levied against Triple S is higher than any imposed by the HHS Office for Civil Rights, he says ASES could have imposed an even higher fine in the Triple S case. "Their contract with us specifies that any contractual violation, including HIPAA, is subject to a fine if $500 to $100,000 per member."
Triple S has until March 13 to request an administrative hearing on ASES' findings and proposed penalties, Rivera Cardona says. Such a hearing could result in the sanctions being reduced or remaining the same.
In addition to the civil monetary penalties and administrative sanctions, ASES also issued a corrective action plan that requires the insurer to implement a plan that would ensure breaches do not re-occur at the company, Rivera Cardona says.
"This is the most important part - reassuring us that this won't ever happen again," says Rivera Cardona, who's held the top position at ASES since January 2013.
Federal HIPAA Investigation
Being a HIPAA covered entity, Triple S is also subject to potential enforcement action by OCR. However, an OCR spokeswoman says the agency's investigation into the Triple S breach is still open. "HHS cannot comment further on the status of the case at this time," she says.
Although OCR has entered several HIPAA settlement agreements that included substantial financial penalties, the only "civil monetary penalty" it has issued in a HIPAA case was against Cignet Health of Prince George's County, Md. The organization was fined $4.3 million in 2011 by OCR for the violations that involved failing to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators.
"In Cignet's case, the organization appears to have been much more consciously at fault," observes security expert Kate Borten, principal at the consulting firm The Marblehead Group. "Cignet did not meet HIPAA requirements for individual access to records, and it was very uncooperative," she notes.
"In this case of Triple S, it appears to have been an unfortunate accident," she says. "It shouldn't have happened; there should have been some quality control process that stopped the mailing."
State attorneys general face certain restrictions on the size of monetary penalties they can issue for HIPAA cases, says privacy attorney Adam Greene of law firm Davis Wright Tremaine.
"State AGs are capped at $25,000 per year for multiple violations of an identical provision," Greene notes. "While multiple violations over multiple years can add up quickly, it still seems hard for a State AG to use HIPAA to get to $6.8 million," as in ASES's case against Triple S, he says.
Neither Borten nor Greene believes the size of the sanctions against Triple S in Puerto Rico will sway OCR into also issuing steeper HIPAA penalties, even though HIPAA Omnibus Rule permits fines of up to $1.5 million per HIPAA violation.
"The fact is, HHS is still not enforcing HIPAA as intended by the HITECH Act," Borten contends. "This is probably related to limited budget and competing priorities. I don't think this [Triple S] case will bring about a change."