The OCR recently announced a HIPAA settlement based on the theft of a USB data storage device with unsecured electronic protected health information (ePHI).

MAPFRE Life Insurance Company of Puerto Rico will pay $2.2 million and implement a corrective action plan, OCR reported. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.

MAPFRE filed a breach report with OCR in September 2011 indicating that a portable USB device containing ePHI was stolen when it was left unsecured in the IT department overnight. The device included complete names, dates of birth, and Social Security numbers of 2,209 people.

MAPFRE reported that it was able to identify the breached ePHI by reconstituting the data on the computer on which the device was attached. OCR’s investigation determined the company was not in compliance with HIPAA rules, specifically a failure to conduct its risk analysis and implement risk management plans contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until Sept. 1, 2014.

MAPFRE also failed to implement, or delayed implementing, other corrective measures it informed OCR it would undertake.

The resolution agreement and corrective action plan may be found online at: