The $2M USB Drive: 2011 Incident Costs Insurance Firm Dearly
A HIPAA fine for the Puerto Rican firm MAPFRE cites the firm for not following through on fixes after a USB drive containing customer information was stolen. The cost: $2.2 million.
What’s worse than losing patient health information and getting cited by the US Government? Apparently, it’s ghosting Uncle Sam when it comes time to make it right.
That’s the message from this week’s announcement by the Department of Health and Human Services Office of Civil Rights (OCR), which fined MAPFRE Life Insurance Co. more than $2 million for failing to take “timely corrective action” after a 2011 incident in which customer data stored on a USB drive went missing.
With just 2,209 customer records exposed in the 2011 incident, the MAPFRE settlement seeks damages of close to $1,000 in fines for every patient record lost. The company has said it will take corrective action to address security issues related to its handling of covered data – more than five years after filing its initial breach report with OCR.
A subsidiary company of the Spanish firm MAPFRE S.A., a global multinational insurance company, MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.
According to an OCR settlement, the USB containing customers’ protected health information (PHI) was stolen from the company’s IT department, where it had been left in a computer and unprotected overnight.
While MAPFRE reported the incident promptly and took responsibility for it at the time, an OCR investigation revealed the company didn’t make good on promises of reform. Specifically, MAPFRE failed to conduct risk assessments or implement risk management plans. Promises in 2011 to deploy encryption tools to protect PHI stored on laptops and removable storage media went unfulfilled for almost three years, until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake, OCR said.
“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” said OCR Director Jocelyn Samuels. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
The consequences for MAPFRE are severe. In addition to the $2.2 million in fines, the company agreed as part of its settlement to revamp its data security procedures, creating a comprehensive inventory of covered PHI and the devices it resides on. The company said it will develop and share with OCR a comprehensive risk assessment and data protection program that includes stronger data protections, employee training and strict disclosure requirements.
The $2.2 million price tag ranks among the 10 largest HIPAA fines to date. And the $1,000 per lost record is a high price to pay for PHI that was stolen. By comparison, OCR fined WellPoint (now Anthem) $1.7 million in July 2013 after a data breach exposed the protected health information of more than 612,000 individuals in a database – a cost of about $2.77 per stolen record.
Still, it wouldn’t be the largest fine on a per-patient basis. That honor may go to Cignet Health of Prince George’s County, Maryland, which was fined $4.3 million by OCR in a 2010 case in which Cignet was found in violation of the HIPAA Privacy Rule for denying 41 patients legally mandated access to their patient records.