Health Insurer Hit With A Record HIPAA Penalty: What Does It Mean?

Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach.  Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach. 

The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries.  This penalty dwarfs the previous record fine of $4.3 million, which was related to non-cooperative behavior after a breach by Cignet Health in 2011

Why is this penalty so large and what does it mean for future penalties?  There seems to be a history here, looking at the reported breaches.  There have been at least six Triple-S reported breaches since 2008 involving over half a million individuals.  Perhaps the size of this penalty was due to HHS OCR concluding that Triple-S was not getting the message about HIPAA.  I suspect they have Triple-S’s attention now.  And I suspect this penalty is not generalizable to most one-off HIPAA breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *