Affinity reported the breach to the civil rights office in April 2010 after learning from CBS News that patient-identifiable health information had been left on one of its copying machines, according to an OCR summary of events. It had sold the machine to a reseller in 2009. The OCR thinks Affinity actually sold about seven of its old machines containing member data, compromising confidentiality for more than 300,000 records.
"This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent," Leon Rodriguez, director of the civil rights office, said in the news release. “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information,” Rodriquez said.
The breach made a CBS Evening News program that month, part of a broadcast segment on data security risks posed by copying machines that have computer storage drives on them and are often disposed of without having the drives wiped clean of information.
Featured in the news report were copiers selected at random from the warehouse of a New Jersey reseller of used office equipment. They included one used by Affinity and one each from the sex crimes and narcotics units of the Buffalo, N.Y., police department. The machines gave CBS copies of documents that included medical information such as prescription-drug data, blood-test results and a cancer diagnosis, as well as the names of sex-crime victims and drug-raid targets, according to the broadcast.
The news broadcast brought the problem to the attention of other federal officials, including the Federal Trade Commission and Congress.
CBS reported buying and analyzing only one of Affinity's retired copiers, finding 300 pages of personally identifiable medical information on its hard drive. But the health plan listed 344,579 patient records as having been compromised in November 2009, according to a summary of its breach report to the civil rights office posted on its “wall of shame” website, implying multiple machines were involved.
“I think there are roughly seven,” said Rachel Seeger, a spokeswoman for the civil rights office. An Affinity spokeswoman did not return calls for comment at deadline.
As part of its settlement with OCR, Affinity agreed to a corrective action plan in which it must “use its best efforts” to retrieve “all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services,” the leasing agent, according to Seeger.
If Affinity can't retrieve all the copier hard drives, it has to provide OCR with documentation “explaining its 'best efforts' and the reason it was unable to retrieve” them, the agreement said. If the drives can't be located, an OCR regional office overseeing the agreement will base its assessment of compliance on “review and approval of the documentation explaining why its efforts failed to retrieve the hard drives,” the agreement said.
Since breach reporting to OCR became mandatory under the American Recovery and Reinvestment Act in September 2009, there have been 646 major breaches posted to its web site for the public disclosure of breaches affecting the records of 500 or more individuals. Combined, they these larger breaches have exposed patient-identifiable information on at least 22.6 million people.
In its news release, the civil rights office also included links to more information about safeguarding sensitive data stored on copying machines and to a National Institute of Standards and Technology guide to cleaning up digital storage media.
Follow Joseph Conn on Twitter: @MHJConn