$1.2 Million Penalty in Copier BreachAffinity Health Plan, OCR Settle Over 2010 Incident
The latest HIPAA data breach settlement serves as a costly reminder that organizations must ensure they properly remove or destroy protected health information from all gear prior to disposal.
Affinity Health Plan, a managed care plan company based in New York, has just agreed to pay federal regulators $1.2 million to settle a 2010 incident that affected 344,557 individuals whose data was discovered on the hard drives of copy machines that had been returned to a leasing company.
And while security experts say most organizations are more aware today than in 2010 about the data privacy and security risks posed by equipment such as copiers, printers, and fax machines, this settlement puts the risks in perspective.
"Someone forgets to sanitize the hard drive. The probability of this occurring these days, I would say is low," says independent security consultant Tom Walsh. "The impact if it happened would be high, as demonstrated by this breach by Affinity Health Plan and their OCR settlement."
Facts of the Case
At the center of the agreement was a breach reported by Affinity to the Department of Health and Human Services' Office for Civil Rights on April 15, 2010. Affinity discovered the breach after it was informed by a representative of CBS Evening News that, as part of an investigatory story, CBS had purchased four copy machines from a company that had leased them to four different organizations, including Affinity. CBS had hired a firm to analyze what was on their hard drives, discovering that the machine that Affinity had used contained confidential medical information.
A subsequent OCR investigation found that Affinity disclosed ePHI of other individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives, according to a OCR statement.
In addition, OCR's investigation revealed that Affinity failed to incorporate ePHI stored on photocopier hard drives in its risk analysis of vulnerabilities as required by the HIPAA Security Rule, and failed to implement policies and procedures when returning the equipment to its leasing agents, says OCR.
Besides the hefty penalty, the settlement includes a corrective action plan requiring Affinity "to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all electronic protected health information," OCR's statement says.
Check Electronic Devices
The case is the first HIPAA settlement involving copiers, says an OCR spokeswoman. It also serves as an expensive reminder about properly disposing of all equipment containing PHI."ePHI likely lurks on the hard drives of many machines around any office of a covered entity or business associate - not just on photocopiers, fax machines or scanners," she says. Other devices organizations need to assess for ePHI prior to disposal include:
- Biomedical devices such as physiologic monitors, infusion pumps, ventilators, MRI, CT, and diagnostic ultrasound and laboratory analyzers;
- Mobile devices such as cell phones, smart phones, PDAs, tablets and laptops;
- Legacy magnetic media like floppy drives, zip disks and magnetic tapes;
- PC hard drives;
- Optical media, including CDs and DVDs;
- USB removable media such as pen drives, thumb drives, flash drives and memory sticks;
- Memory cards, including SD, SDHC, MMC, compact flash, microdrive and memory sticks;
- Embedded flash on boards and devices, including motherboards and peripheral cards such as network adapters or any other adapter containing non volatile flash memory;
- RAM and ROM-based storage devices.
In general, most organizations are doing a better job addressing those issues, security experts say.
"Today I believe organizations are more aware of this risk," says security expert Kate Borten, principal of consulting firm The Marblehead Group.
Also, networked devices with buffers and storage such as printers and copiers are more likely to include security features that wipe out data periodically, she says.
Consultant Walsh suggests that the removal and/or sanitization of hard drives should be in contracts with companies that lease machines such as copiers, printers, faxes and scanners.
"The problem is that while these machines connect to the internal network and have an IP address, the IT department usually has nothing to do with them," he says. In hospitals, "materials management typically manages the contract and their staff may not be aware of the privacy and security risks," he cautions. "This is one of the reasons why materials management should consult with IT or biomed before placing a purchase order for equipment that 'plugs' into an outlet or a network jack."
Walsh also reminds organizations about the security and privacy risks of biomedical devices. "Most newer biomed devices have either computer chips and memory integrated into the device, or they are using a Windows-based computer, server or laptop to control the device and/or collect PHI from the device," he says.
Other Disposal Incidents
While the Affinity case marks the first OCR HIPAA settlement involving copy machines, there have been nearly three dozen other large breach cases since September 2009 involving improper disposal of PHI, according to the HHS "wall of shame" website listing incidents affecting 500 or more individuals.
Among those is a recent case involving Texas Health Harris Methodist Hospital Fort Worth. The hospital disclosed last month that it was contacting 277,000 patients to inform them of a breach involving decades-old microfiche medical records that were slated for destruction by business associate Shred-It International. Instead, the records were found intact in a dumpster in a public park.
That Texas Health incident is the largest 2013 breach posted to the HHS tally of major breaches.