Privacy & Cybersecurity Law Blog

Triple-S Management Corporation reported in the 8-K it recently filed with the U.S. Securities and Exchange Commission that its health insurance subsidiary, Triple-S Salud, Inc. (“Triple S”), which is Puerto Rico’s largest health insurer, will be fined $6.8 million for a data breach that occurred in September 2013. The civil monetary penalty, which is being levied by the Puerto Rico Health Insurance Administration, will be the largest fine ever imposed following a breach of protected health information.

According to the filing, in September 2013, Triple S mailed pamphlets to its Medicare Advantage beneficiaries that inadvertently displayed the beneficiaries’ Medicare Health Insurance Claim Numbers. Following the breach, which affected more than 13,000 individuals, Triple S conducted an investigation, notified affected individuals and reported the incident to Puerto Rican authorities as well as the Department of Health and Human Services’ Office for Civil Rights. Triple S also offered one year of credit monitoring at no charge to the affected individuals.

According to the 8-K, Triple S was notified of the pending sanctions on February 11, 2014. In addition to the proposed monetary penalty, Triple S will be required to suspend new enrollments of Dual Eligible Medicare beneficiaries and notify existing beneficiaries of their right to disenroll from the Triple S Medicare Advantage plan. In the 8-K, Triple S noted that it is responding to the allegations that it “failed to take all required steps in response to the breach” and has the right to request an administrative hearing on the issue. The 8-K concluded by noting that Triple S is “working to prevent this type of incident from happening again.”

View the 8-K.