Privacy & Information Security Law Blog

On August 14, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $1,215,780 settlement with Affinity Health Plan (“Affinity”) stemming from a security breach that affected approximately 350,000 individuals.

The Affinity settlement relates to the impermissible disclosure of electronic protected health information (“ePHI”) stored on photocopier hard drives that Affinity had leased. As we reported in 2010, CBS News purchased one of the photocopiers that Affinity returned to the leasing company and produced an exposé detailing the information (ranging from “drug prescriptions, to blood test results, to a cancer diagnosis”) found on the copier’s hard drives.

Following Affinity’s submission of a breach report to the HHS Office for Civil Rights (“OCR”) in April 2010, an investigation determined that Affinity allegedly had not complied with HIPAA Security Rule requirements, including by failing to (1) properly erase the photocopier hard drives before returning them to the leasing company, (2) assess and identify the security risks to the ePHI on the drives and (3) implement its own policies for disposing of ePHI.

Pursuant to the resolution agreement, Affinity has agreed to pay a $1,215,780 settlement to HHS. In addition, the Corrective Action Plan attached to the resolution agreement requires Affinity to:

• retrieve all photocopier hard drives leased from Canon Financial Services and safeguard all ePHI contained therein, and if it is unable to retrieve the drives Affinity must document its “best efforts” at retrieval and the reason for its inability to retrieve the drives;
• conduct a comprehensive risk analysis of “all electronic equipment and systems controlled, owned or leased” by Affinity and develop a plan to mitigate any risks that are discovered in this risk analysis, which could include modifying its policies and procedures; and
• forward the policies and procedures to OCR and incorporate any changes to OCR recommends.

In announcing the settlement, the Director of the HHS Office for Civil Rights Leon Rodriguez noted that entities should ensure “that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent.” The HHS press release also linked to the FTC’s guidance on photocopiers, which we wrote about in 2011. The Affinity settlement marks the fourth enforcement action taken by OCR in 2013, following a July settlement with WellPoint, a June settlement with Shasta Regional Medical Center and a May 2013 settlement with Idaho State University. So far, OCR has imposed approximately $3.6 million in civil penalties in 2013.

View the resolution agreement.