Settlement for Failure to Scrub Data from Photocopier: A $1.2 Million Lesson Learned

In 2010, Affinity Health Plan self-reported a HIPAA breach of electronic patient records relating to 345,000 people. Those records were stored in the internal memory of digital photocopiers leased by the plan. Post-lease, the company returned the photocopiers, but did not erase the hard drives embedded in the copiers. That mistake triggered an extensive investigation by OCR, an eventual settlement and the imposition of a corrective action plan. The settlement and corrective action plan is available here.In addition to the $1.2 million monetary settlement, the corrective action plan may also prove onerous. The plan requires the company to “use its best efforts” to attempt to retrieve the returned hard drives and safeguard them from “impermissible disclosure.” Failing that, the insurer must submit a description of the lengths it went to trying to get them back. Finally, the company agreed to evaluate risks to patient privacy and create strategies to eliminate these risks within 30 days of the settlement’s effective date of August 7, 2013.

The case reminds us that breaches need not involve intrusion by hackers or criminals. They often involve simple mistakes, which can be avoided through compliance programs and contractual protections. For example, this type of situation may have been avoided by:

• identifying and tracking devices that access or store protected data;
• adopting policies and practices that ensure data is wiped clean from returned or discarded devices;
• implementing a vendor management program that identifies third parties who may access protected data; and
• crafting data-related contractual provisions, including, when necessary, business associate agreements, to ensure that data is managed, used and secured in accordance with applicable laws, user expectations and business interests.

These practices can be adopted voluntarily to help prevent a problem before it occurs. Or, as the New York health plan discovered, they can be imposed by regulators or business circumstances after the damage of a breach is already done.

Special thanks to associate Adnan Zulfiqar in our Washington, D.C. office for his assistance with this entry.