A recent data breach of protected health information has resulted in a $1.2 million dollar fine. Health and Human Services, Office of Civil Rights (OCR) issued the fine to Affinity Health Plan, Inc in the wake of the breach. Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area. Affinity was notified of the breach when it was discovered that more than 344,000 confidential medical records remained on a hard drive inside a discarded copy machine.
Data Breach Investigation
OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of the affected individuals when it returned multiple photocopiers to leasing agents without destroying the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule of the Health Information Portability and Accountability Act (HIPAA), and failed to implement policies and procedures when returning the photocopiers to its leasing agents.
In addition to the $1,215,780.00 fine, Affinity must implement a corrective action plan to retrieve all hard drives that were contained in photocopiers previously leased by Affinity that have been returned to the leasing company and put in place safeguards as required by HIPAA to protect all health information including that in electronic format.