In a case that illustrates the data privacy risks associated with modern copiers, the United States Department of Health and Human Resources (HHS) has announced a $1,215,780 settlement with Affinity Health Plan, Inc. (Affinity), arising from an investigation of potential violations of the HIPAA Privacy and Security Rules.
This matter started when Affinity was advised by CBS Evening News that CBS had purchased a photocopier previously leased by Affinity. CBS explained that the copier’s hard drive contained confidential medical information relating to Affinity patients. As a result, on August 15, 2010, Affinity self-reported a breach with the HHS’ Office for Civil Rights (OCR). Affinity estimated that the medical records of approximately 344,000 persons may have been affected by this breach. Moreover, Affinity apparently had returned multiple photocopiers to office equipment vendors in the past without erasing the data contained upon the internal hard drives of those returned copiers.
After investigating this matter, OCR determined that Affinity had failed to incorporate photocopier hard drives into its definition of electronic protected health information (ePHI) in its risk assessments as required by the Security Rule. Affinity also failed to implement appropriate policies and procedures to scrub internal hard drives when returning photocopiers to its office equipment vendors. As a result, OCR determined that Affinity also violated the Privacy Rule.
In discussing this issue, Leon Rodriguez, Director of OCR, stated that, “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it is recycled, thrown away or sent back to a leasing agent…HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
In addition to the agreed upon settlement payment of $1,215,780, the settlement also requires the implementation of a Corrective Action Plan (CAP). The CAP requires Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and take protective measures to safeguard all ePHI going forward.
Points to Consider
Affinity’s case demonstrates the risks presented by the modern copier – they are specialized computers that will store data and retain itindefinitely. Thus, they pose a security risk for any company that processes and/or possesses personally identifiable information or proprietary information, such as trade secrets, research and development records, marketing plans and financial information. Clearly, this risk applies to businesses regardless of specific business sector.
Therefore, when acquiring a copier, consider all options available to protect the data processed on that machine, typically through encryption or overwriting. Encryption will scramble the data that remains stored on the copier’s hard drive. Overwriting (or wiping) will make reconstructing the data initially on the drive very difficult.
Finally, anticipate the copier’s return to the vendor or other disposition. Make sure that arrangements are made prior to the copier’s departure to effect the hard drive’s removal and secure disposition so as to make any data on it unusable to third parties. Often vendors will provide such a service as will IT consultants.
Note that protecting sensitive information is a company’s ongoing responsibility. Make sure that copiers are considered as part of any comprehensive data security or privacy policy (as are PCs, laptops, smart phones, flash drives and other electronic devices) to avoid an avoidable, but costly and embarrassing, data breach.
For additional information from the FTC on safeguarding sensitive data stored on the hard drives of digital copiers, click here.