An insurance underwriter paid a $2.2 million HIPAA breach settlement after a USB drive containing the electronic protected health information (ePHI) of more than 2,200 people was stolen from its IT department, federal authorities announced today.

As part of the Jan. 11 agreement, MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) also entered into a corrective action plan with the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR).

Investigators described a lack of urgency on the part of MAPFRE in safeguarding ePHI as required by HIPAA’s security and privacy rules, resulting in theft of the portable storage device containing names, dates of birth and Social Security numbers.   

“OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until Sept. 1, 2014,” the OCR statement said. “MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.” 

The settlement announcement is the second of 2017, and suggests OCR has no intention of letting up on the torrid enforcement pace of 2016 – a year during which the agency collected a record $23.5 million in HIPAA breach settlements, up from $6.2 million in all of 2015.

MAPFRE, the subsidiary of a Spain-based multinational insurance conglomerate, offers life, disability, health, auto and other insurance services in Puerto Rico and the U.S. Virgin Islands.

Authorities indicated that the settlement amount might have been higher.

“With this resolution amount, OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing,” the statement said.  

The breach involving 2,209 individuals occurred on Aug. 5, 2011, and was reported to OCR 55 days later.

Federal investigators allege they found evidence that the insurer:

As with similar settlements, MAPFRE wasn’t required to admit guilt.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well,” OCR director Jocelyn Samuels said in a statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

Send tips and news to [email protected].