Health Data Breach

Affinity Health Plan Data Breach: A Cautionary Tale of Improper Equipment Disposal

In 2010, Affinity Health Plan, a New York-based healthcare provider, found itself at the center of a serious data breach that exposed sensitive personal health information (PHI) of more than 344,000 individuals. The breach occurred due to the improper handling of photocopiers that contained hard drives storing confidential patient data. Affinity's failure to adequately sanitize the copiers before returning them to a leasing company highlighted a critical gap in data security protocols, particularly regarding the disposal and management of equipment containing sensitive information.

How the Breach Occurred

Affinity Health Plan had been using leased photocopiers in its offices for several years. What many businesses, including Affinity, did not realize is that modern photocopiers store images of all documents copied, scanned, or faxed on internal hard drives. When the lease on these machines ended, the devices were returned to the leasing company without the data on the hard drives being wiped or securely destroyed.

In a 2010 investigation, CBS News purchased several used photocopiers as part of an exposé on data privacy risks. One of the copiers purchased had come from Affinity Health Plan, and investigators were able to retrieve thousands of sensitive medical records from the machine’s hard drive. The information included Social Security numbers, medical diagnoses, and patient details—all of which are protected under the Health Insurance Portability and Accountability Act (HIPAA).

Regulatory and Financial Impact

Following the discovery of the breach, Affinity Health Plan was investigated by the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR). Under HIPAA, healthcare organizations are required to safeguard protected health information, including ensuring that all data stored on equipment is properly erased or destroyed before decommissioning or reselling.

As a result of this violation, Affinity Health Plan agreed to pay a $1.2 million settlement to resolve the breach. Additionally, the company was required to adopt a corrective action plan, including revising its policies and procedures for the disposal of electronic devices and training its workforce on HIPAA compliance.

Lessons Learned: The Importance of Equipment Sanitization

The Affinity Health Plan breach serves as a critical reminder that sensitive data can exist in unexpected places, such as photocopiers, printers, and other office equipment. Organizations, particularly those in regulated industries like healthcare, must take extra precautions when retiring equipment to ensure that no residual data can be accessed by unauthorized parties.

Conclusion: Data Security Beyond IT Equipment

The Affinity Health Plan incident shows that data security is not limited to computers and servers. Devices like photocopiers, which often go unnoticed in discussions of data protection, can store vast amounts of sensitive information. Organizations must adopt comprehensive policies for the secure disposal of all equipment that has the potential to store confidential data. In the Affinity case, the consequences of overlooking such equipment were costly, both financially and in terms of patient trust.

The most secure way of ensure that data cannot be recovered is by physically destroying data containing media. NTERA can help you ensure that data is never recovered.

Sources:

1. CBS News Report on Photocopier Privacy Risks

   https://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/

2. U.S. Department of Health and Human Services (HHS) Settlement Announcement

   https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/affinity/index.html

3. Affinity Health Plan Breach Case Summary

   https://www.ocrportal.hhs.gov/ocr/breach/breach_report.jsf

 Image: Studyline