The Department of Health and Human Services’ Office for Civil Rights recently entered into two significant settlements, one with a healthcare insurance company and the other with a hospital, to resolve HIPAA charges.  Triple-S Management Corporation and its relevant subsidiaries agreed to pay a $3.5 million fine and take a series of corrective steps following several breaches involving protected health information.  Lahey Clinic Hospital, Inc. agreed to pay $850,000 and adhere to an action plan following the theft of a device that contained patient electronic protected health information.  Although there are still “a relatively small number of [OCR settlements] each year . . . the penalties have been steadily rising and I expect they will continue to do so,” Robert Belfort, a partner at Manatt, told the Cybersecurity Law Report.  See also “Steps to Take Following a Healthcare Data Breach” (Apr. 22, 2015).