Time to trade in that photocopier? Be sure to wipe its memory first.
Affinity Health Plans recently settled a case filed by the U.S. Department of Health and Human Services (HHS) for Health Information Portability and Accountability Act (HIPAA) privacy and security violations. Affinity agreed to pay $1.2 million in fines because it failed to clear the hard drive of one of its leased photocopiers, which was later purchased by CBS.
Affinity self-reported the breach after CBS Evening News advised it that the copier’s hard drive contained confidential patient medical information. Upon researching the breach, Affinity estimated that as many as 344,000 patients may have been affected. And this wasn’t the first photocopier to have been returned without its hard drive having been wiped.
An HHS’ investigation found that Affinity had not included photocopier hard drives in its definition of electronic protected health information in its risk assessment as required by the HIPAA Security Rule. It also determined that Affinity had violated the HIPAA Privacy Rule by failing to implement policies and procedures to scrub internal hard drives before returning photocopiers to its office equipment vendors.
In addition to paying the $1.2 million settlement payment, Affinity must make its best effort to track down and scrub all the hard drives on photocopiers it previously leased that are still in the leasing agent’s possession.
This story holds lessons for all organizations that use photocopiers, as well as fax machines, which is another potential storage location for data with “ephemeral” value that should be deleted rather quickly.
As general office equipment becomes more technologically sophisticated, it could pose additional threats to an organization’s ability to safeguard its own data. So, whenever new technology or office equipment is introduced to the work place, information governance professionals need to understand its capabilities and the potential new risks it may cause. Then, they should review existing policies and procedures to see if they are adequate to mitigate any risks that have been identified. In those cases where they are not, the gaps should be filled.
The final – and in some ways, the most important – step is to ensure that employees are aware of the new risks and the policies and procedures they need to follow to mitigate them. Include this information in training and awareness campaigns to ensure that employees are aware of their obligations for protecting records and information.