Two Million Dollar HIPAA Penalty to Health Insurer for Lack of Encryption and Failure to Provide Security Training

If you think encryption is expensive, going without it can raise costs exponentially. A HIPAA penalty proceeding based on lack of encryption and failure to hold security awareness training was settled for $2,204,182 as announced by The Office for Civil Rights (“OCR”) on January 18, 2017. As breaches of health data multiply, OCR continues to demonstrate its seriousness in enforcing HIPAA encryption and security training requirements. Enforcement actions have extended to health plans as well as healthcare providers.

MAPFRE Puerto Rico, a health insurer, had placed the health information of over 2,000 subscribers on a USB “pen” drive, and the device was stolen from MAPFRE’s IT Department. The information had not been encrypted. OCR’s investigation, commenced in 2011 following MAPFRE’s self-report, revealed that the organization had not engaged in security awareness training that met the level required by HIPAA.

This proceeding and its settlement are significant for the amount of the settlement, which exceeds most settlements against provider that comprised disclosures or far more individuals; the penalty was one of the largest imposed against any health insurer; and that the Resolution Agreement settling the matter cited encryption in tandem with lack of security awareness training.

OCR has sent a very strong message to the healthcare community with this settlement: If you do not encrypt data at rest (in storage) and do not train your staff about encryption and other information safeguards, you will be heavily penalized when the inevitable data breach occurs. This wakeup call should be heeded by all health insurers and providers, and their Business Associates such as law firms and health applications developers as well.

If you have questions regarding security compliance under HIPAA and other privacy laws, please contact Kenneth N. Rashbaum.