Stolen USB drives continue to generate large HIPAA fines

As we've previously covered, stolen USB drives are a big liability for HIPAA entities. When we last covered it in 2014, we used public data to calculate that it costs an average of $925,000 in HIPAA fines per stolen thumb drive. That average is likely to go up. This week the U.S. Department of Health and Human Services announced it issued a $2.2 million HIPAA fine for a stolen USB thumb drive. The affected entity is MAPFRE Life Insurance Company of Puerto Rico (MAPFRE).

USB drive stolen overnight

• Failure to conduct a risk analysis and implement risk management plans, contrary to what was claimed earlier.
• Failure to deploy encryption on its laptops and removable storage media until three years after the incident.
• Failure or significant delay in implementing corrective measures.

USB Drives are a HIPAA Violation Waiting to Happen

• They are easy to steal or misplace.
• Hardware Encrypted USB Drives are hard to distinguish from non-encrypted drives.
• Using software to encrypt a USB drive is beyond the ability of most users. In other words, they won't do it.

We believe HIPAA violations like this will further push U.S. healthcare entities to adopt HIPAA compliant cloud storage technologies like Paubox.

About MAPRE

MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.

SEE ALSO: HIPAA Fines caused by Stolen Thumb Drives