The U.S. Health and Human Services Department says it has fined Affinity Health Plan, Inc. more than a million dollars ($1,215,780) for leaving confidential medical records on the hard drive of a leased photocopier. HHS said the breach violates the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Affinity Health Plan is a not-for-profit managed care plan offering free or low-cost health insurance to residents of the New York metropolitan area.
"This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent," said Leon Rodriguez, director of HHS's Office for Civil Rights. “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
According to HHS, Affinity reported the breach of protected health information to the HHS Office for Civil Rights on April 15, 2010, as required by federal law.
Affinity said it was informed by a representative of the CBS Evening News that, as part of a CBS investigative report, CBS had purchased a photocopier previously leased by Affinity. CBS told Affinity that the copier Affinity had used contained confidential medical information on the hard drive.
Affinity estimated that up to 344,579 individuals may have been affected by the breach.
OCR’s investigation found that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and it failed to implement policies and procedures when returning the photocopiers to its leasing agents.
In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to "use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI (electronic protected health information)."
HHS notes that the National Institute of Standards and Technology has issued guidance on "media sanitation." ("Data generated by one organization may pass through systems and storage media of multiple other organizations before arriving at rest in the final destination," the guidance says. "As a result, more parties than ever are responsible for effectively sanitizing media and the potential is substantial for sensitive data to have been collected and retained on the media. This responsibility is not limited to those organizations that are the originators or final resting places of sensitive data, but also intermediaries who transiently store or process the information along the way. The efficient and effective management of information from inception through disposition is the responsibility of all those who have handled the data.")