Blog: Chronicle of Data Protection | 16 August 2013

Settlement for Failure to Scrub Data from Photocopier: A $1.2 Million Lesson Learned

Settlement for Failure to Scrub Data from Photocopier: A $1.2 Million Lesson Learned

The importance of implementing effective data tracking, security and vendor management programs continues to be reinforced. A reminder came again in the form of a recently-announced $1.2 million settlement between the Department of Health and Human Services Office for Civil Rights (OCR) and a New York health plan. In 2010, Affinity Health Plan self-reported a HIPAA breach of electronic patient records relating to 345,000 people. Those records were stored in the internal memory of digital photocopiers leased by the plan. Post-lease, the company returned the photocopiers, but did not erase the hard drives embedded in the copiers. That mistake triggered an extensive investigation by OCR, an eventual settlement and the imposition of a corrective action plan. The settlement and corrective action plan is available here.In addition to the $1.2 million monetary settlement, the corrective action plan may also prove onerous. The plan requires the company to “use its best efforts” to attempt to retrieve the returned hard drives and safeguard them from “impermissible disclosure.” Failing that, the insurer must submit a description of the lengths it went to trying to get them back. Finally, the company agreed to evaluate risks to patient privacy and create strategies to eliminate these risks within 30 days of the settlement’s effective date of August 7, 2013. The case reminds us that breaches need not involve intrusion by hackers or criminals. They often involve simple mistakes, which can be avoided through compliance programs and contractual protections. For example, this type of situation may have been avoided by:

  • identifying and tracking devices that access or store protected data;
  • adopting policies and practices that ensure data is wiped clean from returned or discarded devices;
  • implementing a vendor management program that identifies third parties who may access protected data; and
  • crafting data-related contractual provisions, including, when necessary, business associate agreements, to ensure that data is managed, used and secured in accordance with applicable laws, user expectations and business interests.
These practices can be adopted voluntarily to help prevent a problem before it occurs. Or, as the New York health plan discovered, they can be imposed by regulators or business circumstances after the damage of a breach is already done. Special thanks to associate Adnan Zulfiqar in our Washington, D.C. office for his assistance with this entry.

Back to main blog

Related blog posts

Ill-Suited: Private Rights of Action and Privacy Claims

19 July 2019

The U.S. Chamber of Commerce Institute for Legal Reform has published “Ill-Suited: Private Rights of Action and Privacy Claims,” a white paper authored by Hogan Lovells’...

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s “Reasonable” Security Requirement

7 February 2019

Much of the focus on the California Consumer Privacy Act (“CCPA”) has been on the new rights that it affords California consumers, including the rights to access, delete, and...

Are You Ready for Brazil’s New Data Protection Law?

27 December 2018

The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on...

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s Anti-Discrimination Clause

12 December 2018

One of the most controversial elements of the California Consumer Privacy Act (“CCPA”) is the establishment of an “anti-discrimination” right – businesses may...

Authors

NoImage

Scott Loughlin


Loading data