36,000 plan members of Triple-S Advantage has experienced a privacy breach that has impacted. The breach was experience by the Puerto Rico based group when a mailing error which saw sensitive information of plan members sent to incorrect recipients.
The data that was exposed, due to the mailing mistake, was limited and did not incorporate Social Security numbers or financial files; however, plan members’ ID numbers were impermissibly issues i ntandem along with names, dates of service, and treatment codes.
The mailing error took place in November but was not spotted by Triple-S until December 5, 2017. An extensive audit was launched to determine how the error occurred and steps has now been taken to make sure that similar errors do not occur in subsequent mailings to plan members and healthcare groups.
Triple-S said in its official substitute breach notice that its mailing procedures have been altered and that those new processes have now been tested to ensure their safety. Another mailing run has been finished and copies of the original letters have now been mailed to the correct addresses. Impacted plan members have also been told of the exposure of their PHI using first class mail.
As plan member ID numbers have been affected, affected individuals have been advised to double check their Explanation of Benefits statements in detail to make sure only services that have been received are present. Since there is potential for malicious individuals to change addresses, plan members have been told to check to make sure normal correspondence from Triple S is still being received.
Triple S confirmed that it has not received any reports to suggest that any PHI has been accessed or misused by unauthorized characters.
The breach report sent to the Department of Health and Human Services’ Office for Civil Rights states that 36,305 plan members were impacted by the mailing error.
While all privacy breaches are bad news, this incident will be particularly concerning for Triple-S. In 2015, following a detailed review into data breaches by the HHS’ Office for Civil Rights, Triple S Management Corporation – the mother company of Triple-S Advantage – settled multiple HIPAA violations with the OCR for a figure of $3.5 million. Triple S was hit with a $1.5 million penalty by the Puerto Rico Health Insurance Administration.
The settlement in question resolved serial violations of HIPAA Rules and multiple compliance failures that played a part in eight data breaches by Triple S Management Corporation subsidiaries between 2010 and 2014.
Triple S will still be closely monitored by the OCR and the latest breach is certain to be thoroughly examined.