Hiding in Plain Sight: Failure to Scrub Patient Data from Digital Copiers Returned to Leasing Company Results in $1.2 Million Health Insurance Portability and Accountability Act (HIPAA) Settlement
We’ve sounded warnings about the lowly copy machine before (here and here). The proliferation of digital devices in the workplace means that data security must extend beyond computer networks and laptops. Seemingly old fashioned equipment, such as copiers, can hide sensitive legally-protected data. Affinity Health Plan, a New York-based managed care company, learned that hard lesson when it became entangled in a 2010 CBS News investigation into the risks associated with image data stored in the hard drives of digital copiers. As the report indicates, digital copiers contain hard drives that retain electronic images of all documents that have been copied or scanned. Users of digital copiers often fail to scrub their hard drives before selling the copiers or returning them at the end of a lease. In order to demonstrate how this could result in disclosure of sensitive data, CBS News purchased four used copiers from a leasing company and then accessed the hard drives to see whether any images had been retained. Two machines contained sensitive police information from the Buffalo, NY police department. A third machine contained design plans, payroll records and copied checks for a construction company in New York. The last machine, which had been leased by Affinity, contained over 300 pages of individual medical records. These finding were then reported on the April 20, 2010 broadcast of The CBS Evening News.
Affinity reported the incident to the federal Department of Health and Human Services (“HHS”), and an investigation by the Office of Civil Rights (“OCR”) ensued. The investigation concluded on August 7, 2013 with a resolution agreement between HHS and Affinity. According to the resolution agreement, OCR’s investigation found that Affinity had “failed to assess and identify the potential security risks and vulnerabilities of EPHI [electronic protected health information] stored in the photocopier hard drives,” and “failed to implement its policies for the disposal of EPHI with respect to the aforementioned photocopier hard drives.” As a result, OCR found that Affinity had “impermissibly disclosed the EPHI of up to 344,579 individuals when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company.” Affinity denied wrongdoing, but agreed to pay $1,215,780 and to implement a corrective action plan that includes “a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or leased by” Affinity.
There are several lessons to be learned from Affinity’s payment of a substantial settlement after becoming the subject of a nationally-broadcast investigation. The first, which should be obvious, is that failure to protect sensitive data adequately has significant regulatory and reputational costs. The second is that avoiding those costs requires thoroughness and attention to detail. All businesses that use and store protected health care, financial or personal data should conduct a comprehensive risk analysis of all leased or owned electronic equipment and systems before being forced to do so in a regulatory corrective action plan resulting from a data breach. For those businesses that have previously conducted such an analysis, the Affinity settlement is a timely reminder of the importance of periodic reviews of systems to ensure that data security policies account for newly-acquired and implemented systems or equipment. Finally, this settlement also calls into play vendor management: how does your business manage third-party equipment vendors and service providers, particularly when it comes to storage and/or disposal of sensitive information?