Florida suspends Mirra after transferring data without authorization

A Brooksville health administrator exposed sensitive data for more than 23,000 Medicare Advantage enrollees by outsourcing claims processing to companies in India and the Philippines without notifying the health plans it served.

What happened

Florida Insurance Commissioner Mike Yaworsky has ordered the immediate suspension of Mirra Health Care LLC's certificate of authority after regulators found the company transferred sensitive Medicare Advantage enrollee data to unlicensed companies in India and the Philippines without the knowledge or approval of the health maintenance organizations it served. According to the Florida Office of Insurance Regulation, Mirra Health held contracts with three Florida HMOs, Secur, Solis, and Ultimate, to perform core administrative functions including member enrollment, claims adjudication and payment, utilization management, and grievance and appeals processing for 23,119 Medicare Advantage enrollees. The company delegated that work to four offshore entities, Data Marshall, BluOne India, HOM India Private Limited, and Saibervet, without obtaining the advance written approval required by its contracts. The OIR determined that the business practices posed an imminent threat to the public health, safety, and welfare of Florida residents.

Going deeper

The majority of the affected enrollees are among the most vulnerable populations in the Medicare program. According to The Capitolist's reporting on the OIR order, affected individuals included participants in Chronic Condition Special Needs Plans for people with severe or disabling chronic conditions, Dual Eligible Special Needs Plans for individuals entitled to both Medicare and Medicaid, and Institutional Special Needs Plans for individuals who require care in long-term skilled nursing or intermediate care facilities. The OIR found that Mirra Health's offshore contracts lacked expiration dates, creating what regulators described as ongoing unauthorized exposure of sensitive data to entities entirely outside the state's regulatory reach. When investigators requested that Mirra Health produce the contracts it had signed with overseas companies, the organization failed to provide all of them, constituting a separate violation of the Florida Insurance Code. Under the suspension order, Mirra Health may continue servicing existing agreements during the first 30 days to minimize disruption to consumer claims handling, however cannot enter into any new Florida administrator agreements, and the suspension may last up to one year.

What was said

Florida Insurance Commissioner Mike Yaworsky stated in the OIR's March 24, 2026, press release, "Mirra Health's business practices are extremely reckless, especially when it comes to exposing the sensitive health information of vulnerable Florida residents. I am ordering an immediate suspension of the company's certificate of authority, as the company's actions are not competent or trustworthy. The Office of Insurance Regulation will continue to aggressively investigate this matter and stand up for the more than 23,000 enrollees impacted by this careless behavior."

In the know

The Mirra Health case indicates a compliance risk that regulators and healthcare attorneys have flagged for years: that healthcare organizations and their administrative partners frequently treat offshore data transfers as an operational matter rather than a regulatory one. According to reporting by the Tampa Bay Times on the OIR investigation, federal regulations do not prohibit offshoring protected health information, however organizations remain legally responsible for what happens to that data regardless of where it is processed. Attorney Elizabeth Hodge, a partner at Akerman, told healthcare security media that while offshoring PHI is not categorically prohibited, the compliance obligations that follow the data do not stop at the U.S. border. The Mirra Health situation compounded the compliance failure by using offshore entities that were unlicensed, operating without required contractual authorization, and in some cases without contracts that included termination clauses, leaving regulators with no mechanism to compel compliance or quickly end the data exposure.

The big picture

Third-party vendor relationships remain one of the most structurally difficult areas of HIPAA compliance for healthcare organizations to manage, and the Mirra Health case shows a pattern of inadequate oversight rather than an isolated incident. According to Paubox's Top 3 Healthcare Email Attacks report, vendor and business associate exposure was the most common email breach pattern in 2025, responsible for 28 percent of all email incidents reported to HHS, with an average cost of $4.9 million per incident according to IBM. The report noted that "healthcare organizations report limited visibility into third-party cybersecurity controls, despite increasing reliance on vendors for core operations," citing EY research. The Mirra Health suspension adds a regulatory dimension beyond data security: when a subcontractor is unlicensed and operating outside the jurisdiction of state regulators, the covered entity and the administrator face a data breach risk and a complete loss of oversight capacity. Paubox CEO Hoala Greevy has previously noted that "too many vendors still treat HIPAA as optional," and that any vendor handling protected health information without proper agreements and controls in place is "creating liability" for the organizations that engage them.

FAQs

What is a Medicare Advantage Special Needs Plan, and why does exposure of this data carry increased risk?

Special Needs Plans are structured versions of Medicare Advantage designed for people with serious chronic conditions, people who qualify for both Medicare and Medicaid, or people who live in institutional settings like skilled nursing facilities. The data associated with these plans typically includes detailed clinical, financial, and eligibility information. Exposure of this data can enable identity theft, insurance fraud, and targeted exploitation of populations who may have limited capacity to monitor or respond to misuse.

Is it legal to transfer protected health information to overseas companies?

Federal HIPAA regulations do not prohibit offshoring PHI, however they require that any vendor handling PHI be governed by appropriate agreements and that covered entities remain accountable for how that data is handled. State regulations may impose additional requirements, and Florida's Insurance Code required Mirra Health to obtain advance written approval before delegating to offshore partners, which it did not do.

What is a certificate of authority, and what does its suspension mean in practice?

A certificate of authority is a state-issued authorization that allows a company to operate as a licensed health administrator or insurance entity in Florida. Suspension means Mirra Health cannot enter new agreements and may be required to wind down existing operations, which regulators have said is being managed carefully to avoid disrupting claims processing for affected enrollees.

What obligations do HMOs have when their administrator shares data without authorization?

Health plans that engage third-party administrators remain accountable for how their enrollees' data is handled under both state and federal law. Regulators have indicated they may investigate whether the three affected HMOs conducted adequate oversight of Mirra Health's subcontracting practices, potentially exposing them to additional compliance scrutiny.

What steps can healthcare organizations take to prevent unauthorized data transfers by their vendors?

Organizations should require contractual provisions that explicitly prohibit data sharing with undisclosed subcontractors, conduct regular audits of vendor relationships and subcontracting activity, include termination clauses allowing contracts to be ended if regulatory requirements are violated, and establish clear processes for reviewing and approving any offshore data handling arrangements before they begin.