- This topic is empty.
-
Posts
-
Insurance Company Faces $1.2 Million Penalty
for Photocopier Data Breach Affecting 344,579 Individuals.
HHS Settles with Health Plan Over Photocopier Data Breach. The U.S. Department of Health and Human Services (HHS) has reached a settlement with Affinity Health Plan, Inc. regarding potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Affinity Health Plan will pay $1,215,780 to resolve these issues. Affinity Health Plan, a non-profit managed care organization serving the New York metropolitan area, reported the breach to the HHS Office for Civil Rights (OCR) on April 15, 2010, in compliance with the HITECH Act’s Breach Notification Rule.The breach came to light when CBS Evening News informed Affinity that a photocopier previously leased by the health plan contained confidential medical information on its hard drive. CBS had purchased the copier as part of an investigatory report, which revealed that sensitive data had not been properly removed. Affinity estimated that up to 344,579 individuals may have been affected.
OCR’s investigation uncovered that Affinity failed to erase data from multiple photocopiers returned to leasing agents, thereby disclosing protected health information (PHI) without authorization. Furthermore, Affinity did not factor in the electronic protected health information (ePHI) stored on these hard drives in its risk assessments as required by the Security Rule. The investigation also found that the health plan lacked adequate policies and procedures for managing data on leased photocopiers.
“This settlement underscores the importance of properly handling equipment that retains electronic information,” said OCR Director Leon Rodriguez. “HIPAA-covered entities must conduct thorough risk analyses and implement appropriate safeguards to protect sensitive data.”
In addition to the financial settlement, the corrective action plan (CAP) requires Affinity to make diligent efforts to recover all hard drives from photocopiers previously leased by the plan and to enhance measures for safeguarding ePHI.
For guidance on protecting sensitive data from digital copiers, visit FTC’s advice on copier data security. The National Institute of Standards and Technology offers media sanitation guidance at NIST’s draft publication. OCR also provides free HIPAA compliance training for continuing medical education at Medscape’s training. For further details on the HHS Resolution Agreement and CAP, visit the OCR website at this link.
- You must be logged in to reply to this topic.