The subsidiary of Triple S. Management Corporation, a Puerto-Rico based medical insurance provider, is facing a nearly $7 million fine from Puerto Rico authorities over a data breach that occurred last year, according to a U.S. Securities and Exchange Commission filing made by the company. The Puerto Rico Health Administration notified the health insurance subsidiary, Triple-S Salud, Inc. (“TSS”), of its intention to impose the penalty and other administrative sanctions in response to TSS’s inclusion of protected health information on a brochure the company mailed out to more than 13,000 Dual Eligible Medicare beneficiaries in September 2013. TSS displayed the recipient Medicare beneficiary’s Medical Health Insurance Claim Number (“HICN”) on the pamphlet. The HICN is the unique number assigned by the Social Security Administration to each Medicare beneficiary and is considered protected health information under the Health Insurance Portability and Accountability Act. Altogether, the mailing went out to approximately 70,000 Medicare Advantage beneficiaries. The administrative sanctions included the suspension of all new enrollments of Dual Eligible Medicare beneficiaries and the obligation to notify affected individuals of their right to dis-enroll. The Puerto Rico Health Insurance Administration alleges that TSS failed to take all required steps in response to the breach. TSS claims to have conducted an investigation and reported the incident to Puerto Rico authorities and federal government agencies, along with complying with requests from the Administration, issuing a breach notification through local media, and notifying affected beneficiaries by mail. TSS also is offering affected individuals 12 months of free credit monitoring and identity protection through an independent provider. In its SEC filing, Triple S. Management Corporation said it was taking the matter “very seriously” and is “working to prevent this type of incident from happening again.” The organization said it could not at this time estimate the financial impact on TSS. TSS is preparing a response to the Puerto Rico Health Insurance Administration and may request an administrative hearing with respect to the Administration’s findings and proposed penalties.
TIP: While the ultimate fine may be modified in this case, it is a reminder of how seriously government authorities are taking data breach issues, especially when they involve sensitive personal information.