The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services recently announced a resolution agreement with Triple-S Management Corporation, a Puerto Rican based insurance holding company. The settlement requires Triple-S to pay a $3.5 million penalty and adopt a comprehensive corrective action plan. This settlement is the second largest HIPAA penalty assessed to date. The OCR began its investigation into Triple-S when it received several breach notifications involving unsecured Protected Health Information (PHI). The OCR discovered widespread noncompliance during its investigation, mostly involving failure to implement appropriate administrative, physical and technical safeguards to protect PHI. For example, Triple-S impermissibly disclosed PHI to an outside vendor that did not have an appropriate Business Associate Agreement with Triple-S. This settlement illustrates to covered entities under HIPAA the importance of having a HIPAA compliance program already in place. The failure to do so, as illustrated by Triple-S, can prove to be costly.