In a previous blog entitled, “The Hidden Security Dangers of Your Office Copier” we discussed the dangers of information stored on office copiers. Since 2002, digital copy machines have been equipped with hard drives that save and store all scanned, faxed, and copied documents. One organization discovered this the hard way. Affinity Health Plan, Inc., of New York was hit with a $1.2 million dollar fine issued by The Health and Human Services Office of Civil Rights (OCR). Affinity was notified by CBS Evening News of the breach when they discovered almost 344,000 confidential medical records on a hard drive inside a discarded copy machine.
Office of Civil Rights Investigation
OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without destroying the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.
When an organization considers its security and data destruction policies and procedures, copiers are often overlooked as it is not always immediately apparent that they store extremely sensitive documents. When treated correctly, copiers should be considered a sensitive item, containing as much, if not more sensitive information than a company computer or cell phone.
Copy Machines Can be a Security Risk
In order to properly protect your organization, written policies and procedures regarding data security and destruction should include sections on your office copy machines, including when and how they are removed, and who will take them. Remember, most electronic wholesalers need to keep the hard drive intact to keep the machine functioning and retain a re-sale value. It is a dangerous assumption that leasing or asset disposition companies have your best interests in mind. Look for a company with a 3rd party data destruction certification, such as from The National Association for Information Destruction (NAID), to make sure that your information is properly destroyed.
Remember, DataShield NEVER resells hard drives. From computers & laptops to copiers, all hard drives are removed and shredded to ensure your protection and compliance. To learn more about NAID AAA Certification or about how DataShield can help ensure your compliance with data destruction laws, please give us a call at 402.898.5000.