Triple-S Management Corp. (“Triple-S”), a Puerto Rico-based health insurer, has been fined $6.8 million by the Puerto Rico Health Insurance Administration (“PRHIA”) following a Health Insurance Portability and Accountability Act (“HIPAA”) breach by its subsidiary, Triple-S Salud Inc. (“TSS”), involving more than 13,000 beneficiaries.
The breach occurred last September, when TSS accidentally mailed to approximately 70,000 Medicare Advantage beneficiaries a pamphlet that inadvertently displayed Medicare Health Insurance Claim Numbers (“HICNs”), which are considered protected health information under HIPAA.
In a Securities and Exchange Commission filing, Triple-S disclosed that in addition to the fine, PRHIA imposed administrative sanctions, including the suspension of all new enrollments of clients enrolled in both Medicare and Medicaid (“Dual Eligibles”) and the obligation to notify affected individuals of their right to disenroll.
Triple-S stated that TSS conducted an investigation and reported the incident to the appropriate Puerto Rico and federal government agencies, responding to requests for information about Dual Eligibles. Triple-S added that TSS took additional steps to remedy the breach, including issuing a breach notification through the local media and notifying all affected beneficiaries by mail.
The amount of the penalty imposed by the Puerto Rican government is unprecedented, higher than any HIPAA fine ever issued by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) and far exceeding the maximum federal fine per incident of $1.5M established by the HIPAA Omnibus Rule. While OCR has entered into many settlement agreements with financial penalties, it has imposed a civil monetary penalty for a HIPAA violation only one time, when it issued a $4.3 million fine against Cignet Health in 2011.
The amount of the TSS fine is also significant considering that there have been much bigger breaches affecting larger numbers of individuals, and the information that was released – HICNs – is not the type of sensitive information that typically leads to more aggressive enforcement
What does this mean for HIPAA covered entities and business associates? The staggering fine may embolden federal regulators or state Attorneys General to take a more aggressive position and impose more civil monetary penalties for HIPAA breaches, even breaches previously considered less serious. Organizations should take extra precautions to prevent and remedy breaches, including complying with all federal and state breach notification requirements.