Stolen USB Drive Leads to $2.2 Million HIPAA Breach Penalty

The second payment of the year suggests federal authorities intend to continue the torrid enforcement pace of 2016, during which mishandling electronic patient information cost “covered entities” and their associates a record $23.5 million in HIPAA breach settlements.

Aldrin Brown, Editor-in-Chief

January 19, 2017

2 Min Read
Stolen USB Drive Leads to 22 Million HIPAA Breach Penalty

An insurance underwriter paid a $2.2 million HIPAA breach settlement after a USB drive containing the electronic protected health information (ePHI) of more than 2,200 people was stolen from its IT department, federal authorities announced today.

As part of the Jan. 11 agreement, MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) also entered into a corrective action plan with the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR).

Investigators described a lack of urgency on the part of MAPFRE in safeguarding ePHI as required by HIPAA’s security and privacy rules, resulting in theft of the portable storage device containing names, dates of birth and Social Security numbers.   

“OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until Sept. 1, 2014,” the OCR statement said. “MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.” 

The settlement announcement is the second of 2017, and suggests OCR has no intention of letting up on the torrid enforcement pace of 2016 – a year during which the agency collected a record $23.5 million in HIPAA breach settlements, up from $6.2 million in all of 2015.

MAPFRE, the subsidiary of a Spain-based multinational insurance conglomerate, offers life, disability, health, auto and other insurance services in Puerto Rico and the U.S. Virgin Islands.

Authorities indicated that the settlement amount might have been higher.

“With this resolution amount, OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing,” the statement said.  

The breach involving 2,209 individuals occurred on Aug. 5, 2011, and was reported to OCR 55 days later.

Federal investigators allege they found evidence that the insurer:

  • failed to conduct required risk and vulnerabilities assessments to test the “confidentiality, integrity, and availability” of the ePHI under their control,

  • didn’t implement appropriate security measures,

  • neglected to implement required security awareness and training programs for workers.

As with similar settlements, MAPFRE wasn’t required to admit guilt.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well,” OCR director Jocelyn Samuels said in a statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like