MAPFRE Life HIPAA Settlement: $2.2 Million for Impermissible Disclosure of ePHI

MAPFRE Life Insurance Company of Puerto Rico has settled potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with the Department of Health and Human Services’ Office for Civil Rights.

MAPFRE Life HIPAA Settlement of $2.2 Million Agreed with OCR

According to the resolution agreement, MAPFRE Life will pay OCR $2,204,182 and must adopt a corrective action plan to address multiple noncompliance issues discovered by OCR during the investigation of a 2011 data breach.

On September 29, 2011, MAPFRE discovered that a pen drive had been stolen from its IT department. MAPFRE Life was able to reconstitute the data on the pen drive from the computer to which the drive was attached. An analysis of the data revealed the electronic protected health information of 2,209 patients was stored on the device. The information contained names, Social Security numbers and birth dates.

Following the discovery, MAPFRE Life informed OCR that corrective measures would be undertaken to address failures that led to the breach; but it took until September 1, 2014 for the insurer to deploy encryption – or alternative measures – on its laptop computers and portable storage devices.

OCR investigators discovered a number of HIPAA noncompliance issues which directly contributed to the breach.

MAPFRE Life failed to conduct a thorough and accurate risk assessment to determine risks and vulnerabilities that threatened the confidentiality, integrity, and availability of members’ electronic protected health information. MAPFRE Life also failed to implement sufficient measures to reduce the risk of ePHI exposure to an appropriate level.

MAPFRE Life did not implement encryption, or an alternative measure, to safeguard ePHI and OCR investigators also discovered the insurer had failed to provide security awareness training to all members of its workforce. Appropriate policies and procedures had also not been implemented to address HIPAA standards and implementation specifications.

As a result of these failures, MAPFRE Life impermissibly disclosed the ePHI of 2,209 individuals to an unauthorized third party. Had MAPFRE Life complied with HIPAA regulations, the data breach could have been prevented and the PHI of its members would not have been exposed. The settlement, which is one of the highest in recent months, took into account the number of noncompliance issues discovered during the investigation and MAPFRE’s financial position.

The MAPFRE Life HIPAA settlement is the second of 2017. Earlier this month, Presense Health of Illinois settled a potential HIPAA Breach Notification Rule violation with OCR for $475,000: The first HIPAA violation settlement to be agreed solely for the delayed issuing of breach notifications following an ePHI breach.

The two early HIPAA settlements in 2017 suggest 2017 could be another record breaking year of HIPAA enforcement.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of