Share this article on:
The Puerto Rico Health Plan Triple-S Advantage has experienced a privacy breach that has impacted 36,000 plan members. The breach was the result of a mailing error which saw sensitive information of plan members disclosed to incorrect individuals.
The protected health information exposed as a result of the mailing was limited and did not include Social Security numbers or financial information; however, plan members’ ID numbers were impermissibly disclosed along with names, dates of service, and treatment codes.
The mailing error occurred in November but was not discovered by Triple-S until December 5, 2017. An extensive investigation was launched to determine how the error occurred and action has now been taken to ensure that similar errors do not occur in future mailings to plan members and healthcare providers.
Triple-S said in its substitute breach notice that its mailing processes have been changed and that those processes have now been tested. Another mailing run has been conducted and copies of the original letters have now been sent to the correct addresses. Affected plan members have also been notified of the exposure of their PHI by first class mail.
Since plan member ID numbers have been exposed, affected individuals have been advised to check their Explanation of Benefits statements carefully to make sure only services that have been received are listed. Since there is potential for malicious actors to change addresses, plan members have been told to check to make sure regular correspondence from Triple S is still being received.
Triple S notes that it has not received any notifications to suggest that any PHI has been accessed or misused by unauthorized individuals.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 36,305 plan members were affected by the mailing error.
While all privacy breaches are bad news, this incident will be especially concerning for Triple-S. In 2015, following an investigation into data breaches by the HHS’ Office for Civil Rights, Triple S Management Corporation – the parent company of Triple-S Advantage – settled multiple HIPAA violations with OCR for $3.5 million. Triple S was also fined $1.5 million by the Puerto Rico Health Insurance Administration.
The multi-million dollar settlement with OCR resolved serial violations of HIPAA Rules and multiple compliance failures that contributed to eight data breaches by Triple S Management Corporation subsidiaries between 2010 and 2014.
The company will still be on OCR’s radar and the latest breach is certain to be very carefully scrutinized for any sign of noncompliance with HIPAA Rules.