A HITECH Act violation by a health plan in New York resulted in a potential data breach of 344,579 individuals has resulted in the HHS imposition of penalty of Rs $1,215,780 as a settlement.
The breach occurred when the Plan which had leased several photocopiers and used it during its operations decided to return the photocopiers to the lessors. The hard disks that are attached to the photocopier were not sanitized before being returned which resulted in an impermissible disclosure of PHI.
OCR had taken up an investigation of this breach which had been reported in April 2010 after a media disclosure. The settlement has also suggested a corrective action as follows.
(1) conduct a comprehensive risk analysis of the Plan’s privacy and security risks and vulnerabilities and
(2) use best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the Plan that remain in the possession of the leasing agent and safeguard all electronic PHI contained therein.
The report of CBS News filed in April 2010 had indicated that the agency purchased 4 used photocopiers from a warehouse in New Jersy and extracted thousands of documents from the hard disks which contained sensitive information from various agencies including the NY Police department and the previously referred Affinity Health Plan.
The incident highlights the need for all companies handling sensitive personal information realize that the Photocopying machines of current days carry a hard disk which copies every document that is photocopied in the machine and hence needs to be sanitized before the photocopier is discarded. If they fail to do the damages can be crippling.