Breaches have consequences – eventually?
Triple-S Salud (TSS) is a licensee of Blue Cross Blue Shield of Puerto Rico and handles managed care for Medicare enrollees. In February, the company was fined $6.8M for a breach involving the exposure of over 13,000 insureds’ information in a mailing error. They were also barred from signing up more beneficiaries for their Platino line until they presented a corrective plan to avoid such HIPAA violations. TSS presented the plan, and the sanctions were lifted. TSS is currently fighting the monetary penalty in court.
As huge as the fine was, it’s important to note that the fine was imposed by Puerto Rico’s Medical Insurance Administration (ASES) and not iHHS/OCR, who have yet to conclude their own investigation. And 13,000 is just a drop in the bucket when one looks at how many breaches TSS has reported to HHS over the past 5+ years – breaches that affect approximately 1 million of their insured. From HHS’s breach tool:
Many of the breaches have only recently been added to the breach tool. Nor is there any explanation of why there are three entries for breaches on September 20, 2013 – was this all one incident and are one or more of the entries duplicative? The entry reporting 56,853 was added this month.
Trying to report on the newest 56,853 entry, Jeanne Price of idRADAR.com went digging and located a press release on TSS’s website, but the press release appears to relate to a more recent incident reported to HHS that affected 5,795 of TSS members and 17,776 of American Health, Inc.‘s members. That incident was described in their press release as follows:
TO ALL MEMBERS OF AHM OR TRIPLE-S SALUD MEDICARE ADVANTAGE / MEDICARE PLATINO
On January 14, 2014, Triple-S Advantage Solutions, Inc. (TSAS), entity that administers Triple-S Salud and American Health, Inc. Medicare Advantage (MA) products became aware that an ex-employee withheld without the organization’s knowledge information of members of the Triple-S Salud and AHM’s MA and Medicare Platino Programs in a compact disk (CD). This person saved information belonging to our members in a computer that was assigned to him in another health insurance organization where he later worked. In general, the exposed information of members included: name, telephone number, date of birth, plan contract number, social security number, Health Insurance Claim Number (HICN) and address. Not all indicators apply to all members.
We took the following mitigating actions: 1) the information was permanently erased from the computer and the server in the other health insurance organization; 2) that organization certified in written form that they did not retain any copy of the information; 3) we interviewed and took a sworn statement of the ex-employee; 4) we recovered the CD and validated that the ex-employee did not retain copy of the information in any other form. The ex-employee did not have the intention to use the member’s information; hence he was interested in the templates and reports included in the file. He also declared that he did not save the information in any other location nor did he share the information with a third party. We are convinced that there is a very low risk of your information being compromised. However, we have established new operational measures to strengthen our controls and prevent any similar incident in the future.
The incident has been reported to the required government agencies, including the Department of Health and Human Services (DHHS), the Centers for Medicare and Medicaid Services (CMS), the Puerto Rico Health Insurance Administration (PHRIA) and the Department of Consumer Affairs (DACO, for its Spanish Acronym).
American Health Inc. posted the same press release on their site.
So if TSS discovered this latest breach in January 2014, why did they wait until April to issue the statement on their website, and why wasn’t this incident included in their first quarter 10-Q filing to the SEC? The filing includes previous incidents that are still under investigation by HHS, including the 2010 one:
On September 21, 2010, the Company learned from a competitor that a specific internet database containing information pertaining to individuals insured at the time by TSS under the Government of Puerto Rico Medicaid program and to independent practice associations that provided services to those individuals, had been accessed without authorization by certain of its employees.
The Company reported these events to the appropriate Puerto Rico and federal government agencies. It then received and complied with requests for information from ASES and the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services, which entities are conducting reviews of these data breaches and TSS’ and TCI’s compliance with applicable security and privacy rules. ASES levied a fine of $100 on TSS in connection incidents, but following the Company’s request for reconsideration, ASES withdrew the fine pending the outcome of the review by the OCR. The OCR has not issued its determination on this matter. The Company at this time cannot reasonably assess the impact of these proceedings on the Company.
An earlier SEC filing had provided more details on the breach.
The most recent 10-Q filing also includes the September 2013 breach reported to HHS:
On September 20, 2013, TSS mailed to our approximately 70,000 Medicare Advantage beneficiaries a pamphlet that inadvertently displayed the receiving beneficiary’s Medicare Health Insurance Claim Number (“HICN”). The HICN is the unique number assigned by the Social Security Administration to each Medicare beneficiary and is considered protected health information under HIPAA. TSS conducted an investigation and reported the incident to the appropriate Puerto Rico and federal government agencies. It then received and complied with requests for information from ASES concerning our dual eligible Medicare beneficiaries. On February 20, 2014, TSS also received a request of information from OCR. TSS issued a breach notification through the local media and notified the situation to all affected beneficiaries by mail. TSS also provided a toll-free number for inquiries and complaints from the individuals to whom notice was provided, and is offering them 12 months of free credit monitoring and identity protection through an independent provider.
On February 11, 2014, ASES notified TSS of its intention to impose a civil monetary penalty of $6,778 (sic) and other administrative sanctions with respect to the breach described above involving 13,336 of our dual eligible Medicare beneficiaries. The sanctions include the suspension of all new enrollments of dual eligible Medicare beneficiaries and the obligation to notify affected individuals of their right to disenroll. In its letter, ASES alleged TSS has failed to take all required steps in response to the breach. ASES subsequently informed TSS that it expected TSS to cease such enrollment immediately and TSS complied. On February 20, 2014, TSS submitted a corrective action plan and, on February 21, 2014, ASES requested TSS to provide additional information in connection with the corrective action plan. On February 26, 2014, ASES temporarily lifted the sanctions related to the enrollment of dual eligible Medicare beneficiaries subject to the approval of the corrective action plan. On March 6, 2014, ASES confirmed its determination regarding the lift of the enrollment sanction and notified its intention to provide TSS a corrective action plan. On March 11, 2014, TSS filed an answer challenging the monetary civil penalty and requesting an administrative hearing and simultaneously filed a notice of removal in the federal District Court for the District of Puerto Rico. TSS alleges that the administrative proceeding should be dismissed on several grounds, including lack of jurisdiction. On April 10, 2014, ASES filed a motion to remand, and, on April 24, 2014 TSS filed its opposition.
While TSS is collaborating with ASES on these matters, it intends to vigorously contest the monetary fine and other sanctions subject of ASES’ notices. At this time, the Company is unable to determine the ultimate outcome of its challenge to ASES’ sanctions, the incident’s ultimate financial impact on TSS or what measures, if any, will be taken by the OCR or other regulators regarding this matter.
In connection with this event, on February 10, 2014, one individual, on his behalf and on behalf of his spouse, filed suit against TSS in the Court of First Instance of Puerto Rico asserting emotional damages due the disclosure of his protected health information. Also, on February 24, 2014, another individual filed a class-action suit against TSS claiming approximately $20,000 in damages. On February 27, 2014, TSS filed a motion to dismiss the class-action suit based on several grounds, including lack of standing. The court ordered plaintiff to submit an opposition to TSS’ motion to dismiss, subject to the dismissal of the claim if plaintiff fail to comply. Plaintiff filed its opposition on March 12, 2014 and, on April 14, 2014, TSS replied. Court’s ruling on the motions is pending. The Company intends to vigorously defend against these claims.
So where is the newest breach? And why do their reports of fines seem to leave out a few zeros (e.g., $100 instead of $100,000 and $6,778 instead of $6,778,000)? Were the media reports on the fines wrong, or has TSS misrepresented the fines in its stock filings?
And when will OCR conclude its own investigation? Is protected health information being adequately secured? Should Blue Cross Blue Shield yank TSS’s license? Should the FTC investigate and enforce data security? What needs to happen here to protect PHI?