Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach. Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.
The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries. This penalty dwarfs the previous record fine of $4.3 million, which was related to non-cooperative behavior after a breach by Cignet Health in 2011.
Why is this penalty so large and what does it mean for future penalties? There seems to be a history here, looking at the reported breaches. There have been at least six Triple-S reported breaches since 2008 involving over half a million individuals. Perhaps the size of this penalty was due to HHS OCR concluding that Triple-S was not getting the message about HIPAA. I suspect they have Triple-S’s attention now. And I suspect this penalty is not generalizable to most one-off HIPAA breaches.