Health Care Provider Data Breach Follows Warnings on Digital Copier Security

Now comes the news that Affinity Health Plan, a New York managed care service, has notified well over 400,000 current and former employees that sensitive medical records have been potentially compromised due to the loss of a digital copier hard drive. The copier had previously been leased by Affinity and was later returned to the leasing company without erasing the drive. The hard drive containing the records was found in a warehouse in New Jersey.

Failure to properly dispose of medical records is a violation of new federal HITECH regulations, as well as New York state privacy regulations. In addition to notification requirements, the violations may also result in fines and other sanctions.

The fact that the hard drive had been returned to the vendor in no way absolves Affinity for failing to comply with private data security records. HITECH explicitly defines the necessity of protecting private data and provides best practices guidelines based on NIST standards; organizations that fail to comply voluntarily with the Privacy Rule may be subject to civil penalties. In addition, certain violations may be subject to criminal prosecution.

The process of erasing sensitive data from hard drives is inexpensive and fast with today’s recent innovations in data erasure technology. Equally important, these products provide the means of generating an audit trail that certifies compliance, precluding the expense of notification, damage to business relationships and criminal charges.