The Puerto Rico- based subsidiary of a multinational insurance company entered into a $2.2 million settlement with the U.S. Department of Health and Human Services for alleged HIPAA violations.
An underwriter of life and disability insurance and group health plans (the “Company”) notified the government of theft of a pen drive containing electronic protected health information. The pen drive was stolen from the IT department, and contained PHI relating to over 2,200 individuals. The PHI included name, dates of birth and Social Security numbers.
In addition to the $2.2 million payment, the Company must enter into a corrective action plan that includes an analysis of risks and vulnerabilities, submitting a risk management plan, and reviewing executive policies.
