$2.2 million to settle possible HIPAA breach
February 06, 2017
San Juan, Puerto Rico — A life insurance company in Puerto Rico will pay the federal government $2.2 million for possibly violating the Health Insurance Portability and Accountability Act after a USB data storage device containing electronic protected health information was stolen.
MAPFRE Life Insurance Company of Puerto Rico must also implement a corrective action plan. On Sept. 29, 2011, the company filed a breach report with the U.S. Department of Health and Human Services Office for Civil Rights stating that the stolen USB drive contained names, dates of birth and Social Security numbers and that 2,209 people were affected, according to a news release.
The government's investigation revealed the insurance company failed to conduct a risk analysis and implement risk management plans and didn't encrypt its laptops or removable storage media until 2014. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain.