We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

Settlement for Failure to Scrub Data from Photocopier: A $1.2 Million Lesson Learned

Scott Loughlin

16 August 2013
The importance of implementing effective data tracking, security and vendor management programs continues to be reinforced. A reminder came again in the form of a recently-announced $1.2 million settlement between the Department of Health and Human Services Office for Civil Rights (OCR) and a New York health plan.
Settlement for Failure to Scrub Data from Photocopier:  A $1.2 Million Lesson Learned

In 2010, Affinity Health Plan self-reported a HIPAA breach of electronic patient records relating to 345,000 people. Those records were stored in the internal memory of digital photocopiers leased by the plan. Post-lease, the company returned the photocopiers, but did not erase the hard drives embedded in the copiers. That mistake triggered an extensive investigation by OCR, an eventual settlement and the imposition of a corrective action plan. The settlement and corrective action plan is available here.In addition to the $1.2 million monetary settlement, the corrective action plan may also prove onerous. The plan requires the company to “use its best efforts” to attempt to retrieve the returned hard drives and safeguard them from “impermissible disclosure.” Failing that, the insurer must submit a description of the lengths it went to trying to get them back. Finally, the company agreed to evaluate risks to patient privacy and create strategies to eliminate these risks within 30 days of the settlement’s effective date of August 7, 2013.

The case reminds us that breaches need not involve intrusion by hackers or criminals. They often involve simple mistakes, which can be avoided through compliance programs and contractual protections. For example, this type of situation may have been avoided by:

  • identifying and tracking devices that access or store protected data;
  • adopting policies and practices that ensure data is wiped clean from returned or discarded devices;
  • implementing a vendor management program that identifies third parties who may access protected data; and
  • crafting data-related contractual provisions, including, when necessary, business associate agreements, to ensure that data is managed, used and secured in accordance with applicable laws, user expectations and business interests.

These practices can be adopted voluntarily to help prevent a problem before it occurs. Or, as the New York health plan discovered, they can be imposed by regulators or business circumstances after the damage of a breach is already done.

Special thanks to associate Adnan Zulfiqar in our Washington, D.C. office for his assistance with this entry.

Scott Loughlin

Cybersecurity in the Health Sector

The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...

02 May 2016
Loading data