Back in 2011, MAPFRE had reported an ePHI incident involving a flash drive that was stolen from the company’s IT department, where it had been left in the open and unsecured overnight. The drive contained the names, social security numbers and other protected health information for slightly more than two thousand MAPFRE customers.
After properly reporting the breach, the company conducted a risk analysis and crafted an action plan designed to prevent such instances from occurring in the future. They presented their plan to OCR, which is the Health Department’s investigative arm, but then failed to implement their new proposed procedures.
When a follow up investigation revealed that the company had not taken the actions they committed to taking, in order to improve the physical aspect of their data security, OCR levied a staggering $2.2 million fine against them.
Last year was a record-setting year for the Department of Health and Human Services with thirteen settlements issued, plus a civil monetary penalty case. If January is any indication, the department looks like it’s going to have a busy 2017 as well.
Once again, the size of the settlement underscores the importance of taking HIPAA regulations seriously, but this particular case also brings to light the importance of taking timely corrective action. In this instance, MAPFRE did everything right except for the last step, when they failed to actually implement the changes they had committed to making. That proved to be a costly mistake. If your business deals with protected health information in any capacity, be sure it’s not one you repeat. Doing so could be far more costly than you realize!