Insurance Company Faces $1.2 Million Penalty for Photocopier Data Breach Affecting 344,579 Individuals.

Toner News Mobile Forums Toner News Main Forums Insurance Company Faces $1.2 Million Penalty for Photocopier Data Breach Affecting 344,579 Individuals.

Date: Tuesday September 10, 2024 04:56:59 pm
  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
    Posts

  • toner
    Keymaster

    Insurance Company Faces $1.2 Million Penalty
    for Photocopier Data Breach Affecting 344,579 Individuals.

    HHS Settles with Health Plan Over Photocopier Data Breach. The U.S. Department of Health and Human Services (HHS) has reached a settlement with Affinity Health Plan, Inc. regarding potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Affinity Health Plan will pay $1,215,780 to resolve these issues. Affinity Health Plan, a non-profit managed care organization serving the New York metropolitan area, reported the breach to the HHS Office for Civil Rights (OCR) on April 15, 2010, in compliance with the HITECH Actโ€™s Breach Notification Rule.

    The breach came to light when CBS Evening News informed Affinity that a photocopier previously leased by the health plan contained confidential medical information on its hard drive. CBS had purchased the copier as part of an investigatory report, which revealed that sensitive data had not been properly removed. Affinity estimated that up to 344,579 individuals may have been affected.

    OCRโ€™s investigation uncovered that Affinity failed to erase data from multiple photocopiers returned to leasing agents, thereby disclosing protected health information (PHI) without authorization. Furthermore, Affinity did not factor in the electronic protected health information (ePHI) stored on these hard drives in its risk assessments as required by the Security Rule. The investigation also found that the health plan lacked adequate policies and procedures for managing data on leased photocopiers.

    “This settlement underscores the importance of properly handling equipment that retains electronic information,” said OCR Director Leon Rodriguez. โ€œHIPAA-covered entities must conduct thorough risk analyses and implement appropriate safeguards to protect sensitive data.โ€

    In addition to the financial settlement, the corrective action plan (CAP) requires Affinity to make diligent efforts to recover all hard drives from photocopiers previously leased by the plan and to enhance measures for safeguarding ePHI.

    For guidance on protecting sensitive data from digital copiers, visit FTCโ€™s advice on copier data security. The National Institute of Standards and Technology offers media sanitation guidance at NISTโ€™s draft publication. OCR also provides free HIPAA compliance training for continuing medical education at Medscapeโ€™s training. For further details on the HHS Resolution Agreement and CAP, visit the OCR website at this link.

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.