A stolen unencrypted USB drive led to a $2.2 million settlement and a Resolution Agreement. The Department of Health and Human Services Office for Civil Rights (OCR) announced on January 18th a settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) after an unencrypted USB data storage device containing records of approximately 2,200 individuals was stolen from MAPFRE’s IT Department after being left unsecured overnight. OCR also alleged that MAPFRE did not follow through on representations to OCR regarding its risk analysis and other compliance efforts.

An OCR investigation revealed alleged noncompliance with various HIPAA provisions, including failure to conduct a risk analysis and implement risk management plans. As part of the settlement, MAPFRE agreed to pay $2.2 million and adhere to a three-year corrective action plan.

OCR’s settlement with MAPFRE is notable given the large penalty associated with the breach, approximately $1,000 per record. Much of that may be attributable to both the underlying root cause of the breach – an alleged lack of risk analysis and risk management – and the press release’s suggestion that MAPFRE did not follow through on promises to OCR:

OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake. (Emphasis added)

Some lessons:

  • Placing PHI on an unencrypted USB drive can prove very costly.
  • Leaving unencrypted PHI lying around also is not a good idea.
  • OCR continues to focus on the need for a risk analysis and risk management plan.
  • Only provide accurate representations to OCR.
  • Carefully follow through on commitments made to OCR.