One health plan provider learned an expensive lesson.
Affinity Health Plan, Inc. returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. As a result, the private health information of up to 344,579 individuals may have been released. The U.S. Department of Health and Human Services recently announced a settlement with Affinity that includes payment of $1,215,780 for violation of HIPAA Privacy and Security rules.
The persistence of information on photocopier hard drives was the subject of a CBS investigative Report a few years ago. It was CBS News that purchased the photocopier that had previously been used by Affinity Health Plan and alerted them to the breach. The hard drives were returned, and Affinity subsequently filed formal notification with state and federal regulators.
Many photocopiers retain digital images of everything that has passed through their system – including scanned, faxed and printed documents. Some have features that allow users to overwrite images after the print job finishes, so sensitive information does not remain on a non-secured hard drive.
Any research administration office should be aware of the potential for information breach when using photocopiers, not just those that deal with private health information. If a hard copy of a document must be secure, such as invention information or conflict of interest disclosure, then the same should apply to the digital copy stored on the hard drive.
The news release in this case included helpful links to information from the Federal Trade Commission on safeguarding sensitive data stored in the hard drives of digital copiers and draft guidance from the National Institute of Standards and Technology on media sanitation.