Puerto Rico Dept of Health reports breach affecting 400,000; Triple-S Salud fined $100k
The Puerto Rico Department of Health has reported a security breach to HHS involving Triple-S Management and Corp. and Triple-S Salud, Inc. Triple-S Management is a managed care company while Triple-S Salud (Triple Health) is an independent licensee of the Blue Cross and Blue Shield Association for Puerto Rico. The breach was reported to HHS as affecting 400,000, and was coded by HHS as “Unauthorized Access/Disclosure, Hacking/IT Incident” involving the “Network Server.” According to HHS’s logs, the breach reportedly occurred on Sept. 21.
I did some digging and found this notice on Triple-S Salud’s site:
If I’m translating it correctly, they are informing people that one or more employees of Medical Card System (illegally) accessed restricted areas of their web site until September 30 and that the breach affected people enrolled in the health plan of the Puerto Rican government for the North and North-Metro regions. The information accessed included the following types of subscriber information: subscriber name, address, diagnostic codes, procedure codes, and IPA (independent practice association).
Not trusting my rusty Spanish skills, however, I decided to keep digging. I found this as part of a Triple-S Management’s 10-Q securities filing:
Intrusions into Triple-C, Inc. Internet IPA Database
On September 21, 2010, we learned from a competitor that a specific internet database managed by our subsidiary TCI [Triple-C, Inc.], containing information pertaining to individuals previously insured by TSS [Triple-S Salud, Inc.] under the Government of Puerto Rico’s Health Insurance Plan (“HIP”) and to independent practice associations (“IPAs”) that provided services to those individuals, had been accessed without authorization by certain of our competitor’s employees from September 9 to September 15, 2010. We immediately began an investigation and engaged external resources to assist in this matter. TCI served as a third-party administrator for TSS in the administration of its HIP contracts until September 30, 2010. We have identified the information that was accessed and downloaded into the competitor’s system. The September 2010 intrusions may have potentially compromised protected health information of approximately 398,000 beneficiaries in the North and Metro-North regions of the HIP. We have also learned as a result of our ongoing investigation that protected health information of approximately 5,500 HIP beneficiaries, 2,500 Medicare beneficiaries and IPA data from all three HIP regions previously serviced by TSS was accessed through multiple, separate intrusions into the TCI IPA database from October 2008 to August 2010. The stolen information did not include Social Security numbers.
Our investigation has revealed that the security breaches were the result of unauthorized use of one or more active user IDs and passwords specific to the TCI IPA database, and not the result of breaches of TSS’s or the Corporation’s system security features. We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs. We believe, however, that the most likely target was financial information related to IPAs rather than the individuals’ information. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs. We have taken measures to strengthen the TCI server security and credentials management procedures, and are conducting an assessment of our system-wide data and facility security to prevent the occurrence of a similar incident in the future. We continue to investigate these events and to analyze the data as it becomes known to us to identify all individuals and entities whose information may have been impacted, and to take any additional corresponding remedial actions in accordance with applicable laws and regulations.
We have notified the appropriate Puerto Rico and federal government agencies of these events, and have issued public notice of the breaches as required under Puerto Rico law. We have received a number of inquiries and requests for information related to these events from these government agencies and are cooperating with them. As a result of our ongoing investigation, we have determined that additional filings and public notices will be required. In addition, the Puerto Rico government agency that oversees the HIP has levied a fine of $100,000 on TSS in connection with these incidents, which we are appealing. Other government agencies may seek to impose fines or other obligations on us. We do not have sufficient information at this time to predict whether any future action by government entities or others as a result of the data breaches would adversely affect our business, financial condition and results of operations.