MAPFRE Life Assurance Company of Puerto Rico learned the hard way about the risk of loss of patient information with portable devices like USBs, even when they are stored in the IT Department.

On September 29, 2011, an unencrypted portable USB storage device, which was left overnight in the IT Department, was stolen by an unknown individual. It also was not password protected. This was not a USB left in a car that was broken into, or a hotel room, or left on a plane or train, which are the usual facts. No, this one was in the IT Department during off-hours. The message is clear that no unencrypted USB drive is safe.

The USB contained the names, Social Security numbers and dates of birth of 2,209 patients.

Following an investigation by the Office for Civil Rights (OCR), the OCR alleged that MAPFRE:

  • impermissibly disclosed the ePHI of 2,209 individuals
  • failed to conduct a comprehensive risk assessment,
  • failed to implement reasonable measures to reduce risks at an appropriate level
  • failed to implement a security awareness program for its employees
  • failed to safeguard ePHI stored on portable devices through encryption or its equivalent
  • failed to implement policies and procedures to safeguard ePHI
  • delayed corrective measures following the submission of the breach notification

The result? A settlement of $2,204,182 and the implementation of a Corrective Action Plan.

This is another case to learn from and covered entities and business associates (and those in other industries) may wish to revisit the question of whether using USB drives in the organization, or storing unencrypted USB drives even in the IT Department fits within the risk management strategy of the organization.