Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries. The breach incident occurred in September 2013 when Triple-S mailed to approximately 70,000 Medicare beneficiaries a pamphlet that inadvertently displayed the receiving beneficiary’s Medicare Health Insurance Claim Number. In addition to the proposed fine, the Form 8-K indicates that sanctions include:  suspending enrollment of dual-eligible beneficiaries; notification to all affected individuals of their right to end their enrollment; and implementation of a corrective action plan from PHRIA to prevent future breach incidents.

In an El Nuevo Dia article, PHRIA Executive Director Ricardo A. Rivera Cardona explained that the fine results from how Triple-S incorrectly handled sensitive information protected by HIPAA. The PHRIA and Triple-S contract imposes fines for HIPAA violations. Of the total fine, $100,000 is due to incomplete information provided by Triple-S to PHRIA in their investigation. Triple-S has 30 days to request an administrative hearing regarding the fine.

As to breaches affecting 500 or more patients, in addition to the September 2013 incident, Triple-S has reported two other incidents to the Department of Health and Human Services Office for Civil Rights. In September 2010, Triple-S reported a theft affecting the PHI of 398,000 individuals. In October of 2008, Triple-S reported a theft and unauthorized access/disclosure affecting the PHI of 8,000 individuals.

PHRIA’s proposed civil monetary penalty falls well outside the settlement amounts and civil monetary penalty (“CMP”) previously issued by OCR. Settlement amounts with OCR have ranged between $35,000 to $2.5 million. The only CMP issued by OCR pertained to Cignet Health in the amount of $4.3 million in 2011. The CMP pertained to allegations that Cignet Health blocked 41 patients from accessing their medical records between September 2008 and October 2009. The largest portion of the CMP ($3 million) was due to Cignet Health’s refusal to cooperate in OCR’s investigation.

Breach incidents continue to result in regulatory investigations and financial penalties.  Enforcement activity is likely to continue to increase given OIG’s November 2013 report regarding OCR oversight and enforcement of the HIPAA Security Rule.  From the enforcement activity covered in 2013 blog posts, covered entities are learning that breach response does not stop at notification.