Menu Close

Copier Data Breach Leads to HIPAA Settlement

Posted in HIPAA and the HITECH Act, Privacy and Data Protection, Private Insurers

On August 14, the U.S. Department of Health and Human Services (HHS) announced that it had reached a settlement with Affinity Health Plan, Inc. under which Affinity would pay $1.2 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Affinity is a managed care company that markets its health plans in the New York metropolitan area.

In early 2010, Affinity returned leased photocopiers to their lessors without deleting unsecured protected health information (PHI) that had been stored on the photocopiers’ hard drives. As part of an investigatory report, CBS Evening News had purchased one of the photocopiers and discovered that its hard drive contained PHI. CBS notified Affinity of the data breach, and in April 2010 Affinity notified HHS’s Office for Civil Rights (OCR) as required by the Breach Notification Rule of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

OCR’s investigation revealed that Affinity had neglected to erase data from the hard drives of numerous photocopiers before returning them to their lessors. Affinity estimated that as many as 344,579 people’s information may have been compromised. OCR’s investigation also uncovered other violations of the HIPAA Security Rule by Affinity, including that the company had failed to implement proper policies and procedures to safeguard PHI.

In HHS’s press release, OCR Director Leon Rodriguez said, “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent.”

Leave a Reply

Your email address will not be published. Required fields are marked *