Puerto Rican Breach Affects 400,000

Insurer Claims a Competitor Accessed a Database
Puerto Rican Breach Affects 400,000
About 400,000 Puerto Ricans enrolled in the government's health insurance plan for the impoverished have potentially been affected by a breach incident involving unauthorized access to an Internet database.

Triple-S Management Corp., a holding company that runs Blue Cross and Blue Shield plans and serves as a government contractor, said in a recent 10-Q securities filing that a competitor informed it that "certain of our competitor's employees" accessed the database without permission Sept. 9-15. The filing was originally reported at phiprivacy.net

The database included information pertaining to individuals previously insured under the government health plan that was managed by a Triple-S subsidiary, as well as information about the independent practice associations that provided services to those individuals.

"The database intrusion may have potentially compromised protected health information of approximately 398,000 beneficiaries," according to the 10-Q filing. The company said its investigation also revealed that protected health information of approximately 5,500 government health insurance plan beneficiaries and 2,500 Medicare beneficiaries, plus certain independent practice association data, was inappropriately accessed through multiple intrusions into the database from October 2008 to August 2010. The information accessed did not include Social Security numbers, the company said, but it did not reveal what other information was accessed.

Breach Incident Cause

The company determined that the security breaches were the result of unauthorized use of one or more active user IDs and passwords for the database, according to its 10-Q filing. "We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs," the company said. "We believe, however, that the most likely target was financial information related to IPAs rather than the individuals' information. During the course of our investigation, we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs."

Triple-S Management said it has strengthened its server security and credentials management procedures and is assessing all security measures.

The Puerto Rico Department of Health notified the U.S. Department of Health and Human Services' Office for Civil Rights of the incident, which added it to its list of major health information breaches. Triple-S Management is listed as a business associate of the department.

In terms of the number of individuals potentially affected, the incident ranks as the fourth largest reported to OCR since it began tallying the list in September 2009, as required under the HITECH Act.

Puerto Rican authorities have hit a Triple-S unit with a $100,000 fine for the breach, which the company is appealing, according to its 10-Q filing.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.