Roughly two years after getting hit with a $3.5 million settlement with the Health and Human Services Office for Civil Rights for widespread failure to safeguard patient's protected health information, Puerto-Rico based insurance company Triple-S Advantage has reported another breach, this time in the form of a mailing gone wrong.
In early December, Triple-S Advantage discovered that notices sent in November to providers involved in treating the insurer's members were mailed to the wrong address, compromising the protected health information contained in the notices. The company investigated the misstep and has taken steps to ensure future notices are mailed to the proper addresses. This included a correction of the mailing process and completion of a test to send the letters to the correct addresses. The social security numbers and dates of birth of members were not disclosed, the company said.
The company said they have not received any indication that the information has been accessed or used by an unauthorized individual. Triple S suggested that members review Explanation of Benefits notices to make sure that the services listed are accurate. They also told members to make sure they continue to receive documents that are normally received regarding healthcare services or benefits.
"Triple-S Advantage has a strong commitment to protecting the confidentiality of our members' sensitive information. We take information privacy very seriously and it is important to us that our members are made fully aware of a potential privacy issue. We have learned that personal information of some of our members, including their name, health plan identification number, date of service in which treatment was provided, and treatment codes describing the service provided was mailed to the wrong address," the company said in a statement.
This latest incident does not bode well for a company already under a corrective action agreement with OCR as a result of a settlement over widespread HIPAA violations related to a company-wide failure to keep safe the PHI of members on the part of Triple-S and its subsidiaries. This included failure to implement appropriate safeguards for PHI, disclosure of PHI to outside vendors and the disclosure of more PHI than was needed for a particular mailing.
To achieve good-standing with OCR, Triple-S is required to create a risk analysis and risk management plan; processes to identify and address environmental or operational changes affecting PHI security; policies and procedures to facilitate HIPAA compliance; and a training program for all workforce and business associates.