October 14, 2019

October 11, 2019

Subscribe to Latest Legal News and Analysis

Photocopiers – A Recurring Data Security Risk

In a case that illustrates the data privacy risks associated with modern copiers, the United States Department of Health and Human Resources (HHS) has announced a $1,215,780 settlement with Affinity Health Plan, Inc. (Affinity), arising from an investigation of potential violations of the HIPAA Privacy and Security Rules.

This matter started when Affinity was advised by CBS Evening News that CBS had purchased a photocopier previously leased by Affinity.  CBS explained that the copier’s hard drive contained confidential medical information relating to Affinity patients.  As a result, on August 15, 2010, Affinity self-reported a breach with the HHS’ Office for Civil Rights (OCR).  Affinity estimated that the medical records of approximately 344,000 persons may have been affected by this breach.  Moreover, Affinity apparently had returned multiple photocopiers to office equipment vendors in the past without erasing the data contained upon the internal hard drives of those returned copiers.

After investigating this matter, OCR determined that Affinity had failed to incorporate photocopier hard drives into its definition of electronic protected health information (ePHI) in its risk assessments as required by the Security Rule.  Affinity also failed to implement appropriate policies and procedures to scrub internal hard drives when returning photocopiers to its office equipment vendors.  As a result, OCR determined that Affinity also violated the Privacy Rule.

In discussing this issue, Leon Rodriguez, Director of OCR, stated that, "This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it is recycled, thrown away or sent back to a leasing agent…HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information."

In addition to the agreed upon settlement payment of $1,215,780, thesettlement also requires the implementation of a Corrective Action Plan (CAP).  The CAP requires Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and take protective measures to safeguard all ePHI going forward.

Points to Consider

Affinity’s case demonstrates the risks presented by the modern copier – they are specialized computers that will store data and retain itindefinitely.  Thus, they pose a security risk for any company that processes and/or possesses personally identifiable information or proprietary information, such as trade secrets, research and development records, marketing plans and financial information.  Clearly, this risk applies to businesses regardless of specific business sector.

Therefore, when acquiring a copier, consider all options available to protect the data processed on that machine, typically through encryption or overwriting.  Encryption will scramble the data that remains stored on the copier’s hard drive.  Overwriting (or wiping) will make reconstructing the data initially on the drive very difficult.

Finally, anticipate the copier’s return to the vendor or other disposition.  Make sure that arrangements are made prior to the copier’s departure to effect the hard drive’s removal and secure disposition so as to make any data on it unusable to third parties.  Often vendors will provide such a service as will IT consultants.

Note that protecting sensitive information is a company’s ongoing responsibility.  Make sure that copiers are considered as part of any comprehensive data security or privacy policy (as are PCs, laptops, smart phones, flash drives and other electronic devices) to avoid an avoidable, but costly and embarrassing, data breach.

For additional information from the FTC on safeguarding sensitive data stored on the hard drives of digital copiers, click here.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved

TRENDING LEGAL ANALYSIS


About this Author

Kenneth Dort, Drinker Biddle Law Firm, Intellectual Property and Data Security Attorney, Chicago
Partner

Kenneth K. Dort counsels clients on information technology and intellectual property law issues—specifically, software development and licensing, systems development and integration, data security and privacy, trade secret protection and patent/copyright/trademark licensing and protection. He is chair of the firm’s Technology Committee.

Ken is CIPP/US, CIPP/E and CIPP/C certified and advises clients throughout the United States, the European Union and Canada on their data security and privacy practices and compliance needs...

312-569-1458
Mary Devlin Capizzi,Corporate Attorney, Drinker Biddle,
Partner

Mary Devlin Capizzi counsels individual corporations and consortia clients (comprised of industry, government and academia representatives) on a range of compliance matters involving regulatory, legislative, scientific and policy issues in the U.S., the EU and other countries around the world. She represents clients in the pharmaceutical, biotechnology, medical device, health, nutrition, chemical and technology sectors.

Mary serves as a managing partner of the firm. She was the first chair of the firm’s Professional Development Committee, is a member of the Women's Leadership Committee and a member of the Government and Regulatory Affairs Practice Group.

Prior to joining the firm, Mary served on the New York City-based legal team that represented the Bank Advisory Committees for Brazil and Mexico in connection with the restructuring of their sovereign external debt. She is a fluent Spanish speaker and completed foreign study programs at La Universidad de San Luis in Madrid, Spain; Universidad Internacional, Center for Bilingual Multicultural Studies in Cuernavaca, Mexico; Universitá di Dallas in Rome, Italy; and L’Ecole des Cadres in Paris, France.

202-230-5101