A privacy breach occurred in the Puerto Rico Health Plan Triple-S Advantage, which affected 36,000 plan members. The cause of the breach was a mailing error that disclosed the plan members’ sensitive information to incorrect persons.
No Social Security numbers or financial data of plan members were exposed during the mailing error. The exposed information included the plan members’ names, ID numbers, dates of service and treatment codes. The mailing error happened in November but Triple-S became aware of it only in December 5, 2017. Triple-S investigated the incident to find out how the mailing error happened. As a result, action was taken to make sure that the same error will be avoided in future mailings.
A substitute breach notice informed Triple-S’ plan members of the changes in the mailing processes which have already been tested. A test mailing run used copies of the original letters and sent them to the correct recipients. All plan members affected by the breach also received notification about their PHI exposure via first class mail.
Plan members were also advised to check their Explanation of Benefits statements carefully. Since their ID numbers were exposed, they have to make sure that they receive only the listed services. They also need to make sure that they get Triple S’ regular correspondence as there’s possibility for malicious actors to change addresses.
According to Triple-S, it has received no report that suggests access or misuse of plan members’ PHI by unauthorized persons. It is indicated in the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights that 36,305 plan members’ were impacted by the mailing error.
This breach incident is really bad news for Triple-S as Triple S Management Corporation, its parent company, was already penalized for multiple HIPAA violations by the HHS’ Office for Civil Rights. Triple S Management Corporation paid $3.5 million to OCR to settle 8 data breaches that happened from 2010 to 2014. Triple S also paid $1.5 million to the Puerto Rico Health Insurance Administration. Most likely, the company will be under the watchful eye of OCR to see if there was any HIPAA rules violation with the latest breach.