Financial Crime World

Data Breach Risk Management in Puerto Rico: A Case Study of Triple-S Management Corp.

Introduction

A recent incident involving an unauthorized access to an Internet database has put the sensitive information of approximately 400,000 Puerto Ricans at risk. This case study examines the data breach and its impact on data breach risk management in Puerto Rico.

The Incident

According to a 10-Q securities filing, a competitor informed Triple-S Management Corp., a holding company that runs Blue Cross and Blue Shield plans, that certain employees had accessed the database without permission from September 9 to 15. The affected individuals are enrolled in the government’s health insurance plan for the impoverished, managed by a subsidiary of Triple-S.

Compromised Data

The breach may have compromised protected health information (PHI) of approximately 398,000 beneficiaries, including:

  • Government health insurance plan beneficiaries
  • Medicare beneficiaries
  • Certain independent practice association data

While Social Security numbers were not accessed, other sensitive information may have been compromised.

Investigation and Response

Triple-S Management Corp. has launched an investigation into the incident, which it believes was caused by unauthorized use of active user IDs and passwords. The company has taken steps to strengthen its server security and credentials management procedures and is assessing all security measures.

The Puerto Rico Department of Health notified the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) of the incident, which added it to its list of major health information breaches. The company has also been hit with a $100,000 fine by Puerto Rican authorities, which it is appealing.

Lessons Learned

This incident highlights the importance of data breach risk management in Puerto Rico, particularly in the healthcare industry where sensitive information is at stake. As the government and private companies continue to invest in digital technologies, they must also prioritize cybersecurity measures to protect against unauthorized access and ensure the confidentiality, integrity, and availability of sensitive information.

Best Practices for Data Breach Risk Management

To mitigate the risk of data breaches, organizations can implement the following best practices:

  • Conduct regular security audits and risk assessments
  • Implement strong access controls and authentication procedures
  • Encrypt sensitive data both in transit and at rest
  • Monitor network activity and detect anomalies
  • Train employees on cybersecurity best practices and incident response procedures
  • Establish incident response plans and protocols