HIPAA-US$1.2 m damage for not sanitizing photocopier hard disk

A HITECH Act violation by a health plan in New York resulted in a potential data breach of 344,579 individuals has resulted in the HHS imposition of penalty of Rs $1,215,780 as a settlement.

The breach occurred when the Plan which had leased several photocopiers and used it during its operations decided to return the photocopiers to the lessors. The hard disks that are attached to the photocopier were not sanitized before being returned which resulted in an impermissible disclosure of PHI.

OCR had taken up an investigation of this breach which had been reported in April 2010 after a media disclosure. The settlement has also suggested a corrective action as follows.

 (1) conduct a comprehensive risk analysis of the Plan’s privacy and security risks and vulnerabilities and

(2) use best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the Plan that remain in the possession of the leasing agent and safeguard all electronic PHI contained therein.

Related Article 

The report of CBS News filed in April 2010 had indicated  that the agency purchased 4 used photocopiers from a warehouse in New Jersy and extracted thousands of documents from the hard disks which contained sensitive information from various agencies including the NY Police department and the previously referred Affinity Health Plan.

The incident highlights the need for all companies handling sensitive personal information realize that the Photocopying machines of current days carry a hard disk which copies every document that is photocopied in the machine and hence needs to be sanitized before the photocopier is discarded. If they fail to do the damages can be crippling.


Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law, HIPAA. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.