Affinity Health Plan, Inc. (Affinity), a not-for-profit managed care plan serving the New York metropolitan area, recently settled a breach case under the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services (HHS) for nearly $1.25 million.
An investigation by the HHS Office for Civil Rights (OCR) found that Affinity impermissibly disclosed the PHI of nearly 350,000 individuals when it returned multiple photocopiers to leasing agents without erasing data on the hard drives. The OCR also found that Affinity failed to incorporate the electronic PHI (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities required by the HIPAA Security Rule, and failed to implement policies and procedures when returning the photocopiers to leasing agents. The settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all photocopier hard drives used by the plan that remain in the possession of the leasing agent, and to take measures to safeguard all ePHI.
The HHS news release on the photocopier breach case can be found by clicking here.
Department of Health and Human Services. “HHS Settles with Health Plan in Photocopier Breach Case.” News Release. 14 Aug. 2013.