Puerto Rican insurer faces $6.8M fine for HIPAA violations
Health insurer Triple-S Management faces a fine over a security breach at the insurer’s subsidiary that is larger than any imposed for HIPAA violations by the Office for Civil Rights.
The Puerto Rico Health Insurance Administration intends to impose a $6.8 million fine on the subsidiary, Triple-S Salud.
The incident occurred on Sept. 20, 2013, when Triple-S Salud inadvertently mailed a pamphlet that included beneficiaries' Medicare health insurance claim number to 13,336 of its dual-eligible beneficiaries--individuals eligible for both Medicaid and Medicare, according to documents filed with the Securities and Exchange Commission. Triple-S immediately investigated the incident and reported it to the appropriate government agencies.
The company also released a breach notification to local media; notified all affected beneficiaries; and offered a year of identity protection and credit monitoring through a third-party provider to all affected individuals affected.
Despite the organization’s efforts, the administration says the fine represents a fine of $500 per affected individual, as well as an additional $100,000 penalty because Triple S failed to cooperate with the administration's investigation. The administration also wants Triple-S to suspend enrollment of dual-eligible beneficiaries; notify all affected individuals of their right to end their enrollment; and implement a corrective action plan to prevent future breaches.
Triple-S has until March 13 to request an administrative hearing on the fine, which could result in the maintenance or reduction of the fine.