This week, OCR announced a Triple-S data breach settlement was reached. The Puerto Rico health insurer will pay $3.5 million to OCR to settle potential HIPAA violations spanning 5 years. The Triple-S data breach settlement could potentially have been far greater, considering the BlueCross BlueShield licensee has reported eight data breaches to OCR since 2010 and has previously been fined for HIPAA violations.
Triple-S Data Breach Settlement is the Second Largest HIPAA Fine Issued
OCR investigated Triple S Management Corporation after having received numerous reports of data breaches over the past few years. OCR investigates all data breach reports affecting more than 500 individuals and assesses covered entities for potential HIPAA violations that may have contributed to the cause of the breaches.
In many cases, OCR investigators discover non-compliance issues but it is relatively rare for financial penalties for non-compliance with HIPAA to be issued. Many covered entities just require some minor assistance to help them bring privacy and security standards up to the minimum level demanded by the Health Insurance Portability and Accountability Act. In such cases, a robust action plan is deemed more appropriate. The covered entity in question must address all non-compliance issues within a short time frame, and report back to OCR on a regular basis.
In the case of Triple-S, persistent compliance failures, numerous data breaches, and a history of non-compliance meant OCR had little alternative but to issue a heavy fine. Triple-S is fortunate however. OCR is permitted to issue fines of up to $1.5 million, per violation category, per year. Since some non-compliance issues had existed for a considerable period of time, the potential fine could have been substantially higher.
The settlement has been reached with Triple S Management Corporation, although it covers Triple S Management Corporation as well as its wholly owned subsidiaries: Triple-S Advantage Inc., Triple-C Inc., and Triple-S Salud Inc.
The settlement is the second highest ever reached with OCR. Only the Cignet Health settlement of $4.3 million was higher. Last year, responsibility to pay a $4.8 million HIPAA settlement was shared between New York-Presbyterian Hospital (NYPH) and Columbia University.
Triple-S Data Breaches Suffered Since 2010
Since 2010, Triple-S and its subsidiaries have suffered multiple data breaches as detailed in the following table. The Triple-S data breach settlement corresponds to potential HIPAA violations that contributed to the cause of these breaches.
| Year | Company | Individuals Affected | Breach Type | Location of Data | Covered Entity Type |
| 2010 | Triple-S Management, Corp.+ Triple-S Salud, Inc. | 475,000 | Hacking/IT Incident + Unauthorized Access/Disclosure | Network Server | Business Associate |
| 2013 | Triple S Salud Inc. | 13,336 | Unauthorized Access/Disclosure | Paper/Films | Business Associate |
| 2014 | Triple-S Salud, Inc.
|
398,000 | Theft | Network Server | Health Plan |
| 2014 | Triple-C, Inc. | 8,000 | Theft + Unauthorized Access/Disclosure | Network Server | Business Associate |
| 2014 | Triple-S Salud | 5,795 | Theft | Other | Health Plan |
| 2014 | Triple S Salud Inc. | 7,911 | Theft | Other Portable Electronic Device | Business Associate |
| 2014 | Triple-S Salud | 56,853 | Unauthorized Access/Disclosure | Paper/Films | Health Plan |
| 2015 | Triple S Advantage, Inc. | 1,458 | Unauthorized Access/Disclosure | Other | Health Plan |
Triple-S Management Corporation HIPAA Violation Penalties
OCR took the decision to fine Triple-S Management Corporation for persistent HIPAA violations, although the Puerto-Rico-based health insurer decided to settle the case. Liability has therefore not been accepted. The potential HIPAA violations discovered by OCR investigators are detailed below:
- Violation of 45 C.F.R. §164.502(a) – Impermissible disclosure of PHI relating to the data breaches listed above
- Violation of 45 C.F.R. § 164.530(C)(1) and (C)(2)(i) – Failure to implement administrative, technical, and physical controls to protect PHI of subscribers
- Violation of 45 C.F.R § 164.308(a)(1)(ii)(A) – Incomplete Risk Analysis – Triple-S had not identified all security vulnerabilities placing ePHI at risk of exposure
- Violation of 45 C.F.R § 164.314(a)(2)(1) – Impermissible disclosure of PHI to third party vendors – Lack of a signed Business Associate Agreement (BAA)
- Violation of 45 C.F.R § 164.308(a)(1)(ii)(B) – Lack of security measures to safeguard ePHI and reduce risk to an acceptable level
- Violation of 45 C.F.R § 164.308(a)(3)(ii)(c) – Failure to terminate access rights to PHI following the cessation of employment of workforce members
- Violation of 45 C.F.R § 164.514(d) – Disclosure of more than the necessary level of information to a third party vendor in order for a task to be conducted
Triple-S has previously been fined for a data breach arising from potential HIPAA violations. In 2015, the Puerto Rico Health Insurance Administration fined Triple-S $6.8 million for HIPAA violations leading to a breach of 475,000 subscriber records. The fine actually paid was only $1.5 million, having been reduced after an appeal was lodged.