Business Associate Breach

Today, I am presenting a case study on the chain of events after a Business Associate breach of electronic protected health information (ePHI).

Business Associates (BAs) YOU may be directly liable for violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Breach Notification Rule as well as certain provisions of the Privacy Rule after experiencing such a breach. Liability may attach to BAs, even in situations in which the BA has not entered into the required Business Associate Agreement with the Covered Entity (CE).

Breach History:

On September 29, 2011, MAPFRE Life Insurance Company of Puerto Rico filed a breach report with Office oToday, I am presenting a case study on the chain of events after a Business Associate (BA) experienced a breach of electronic protected health information (ePHI). Civil Rights (OCR) after a USB data storage device was stolen from their IT department, affecting 2,209 patients.

What OCR Found During Their Breach Investigation:

OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014 (approximately three years later).


MAPFRE Life was found out-of-compliance in the following areas:

  1. Impermissible disclosures of PHI
  2. Failure to conduct a thorough risk analysis and implement security measures
  3. Failure to provide a security awareness and training program for all members of its workforce, including management
  4. Failure to implement encryption technologies for PHI
  5. Failure to implement appropriate policies and procedures to company with the HIPAA Security Rule

HIPAA Enforcement

On January 11, 2017, Health and Human Services (HHS) agreed to accept, and MAPFRE Life agreed to pay $2,204,182.00 settlement (Resolution Amount)


MAPFRE Life was required to enter into a six year Corrective Action Plan (CAP) with OCR.

Lessons Learned

Don’t ignore YOUR need to be HIPAA compliant! Any device or media that has PHI needs to be properly protected – HIPAA is not system or hardware specificit applies to all!

Covered Entities and Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?



Join HIPAA alli for our live webinar where we provide valuable information on a range of HIPAA compliance related topics and allow attendees to gain insider insight and learn industry best practices.