Healthcare IT Security

OCR, Affinity Health Plan Reach Settlement on Photocopier Breach Case

Krishna Kurapati
March 14, 2017

In a week including several high profile HIPAA breach incidents and settlements, the Department of Health and Human Services announced the biggest one of all: a settlement agreement with Affinity Health Plan stemming from an incident in 2010 when it was discovered that an improperly wiped photocopier compromised the PHI of over 300,000 patients. Affinity and HHS agreed to settle the case for $1,215,780.

The Data Breach Incident in the Healthcare Field

What was notable about this particular incident was not necessarily the high settlement figure or even the large number of patients involved, but the bizarre nature of the incident itself. In the period leading up to the incident, the New York-based health plan had been leasing the digital photocopier. After the next user, CBS, purchased the copier from the leasing agent, it discovered hundreds of thousands of patient records that had not been deleted off the hard drive before the end of Affinity’s lease term.

HIPAA data breaches in the healthcare field

This incident underscores the greater risk that compliance or information officers need to take into account in their risk assessments: the human factor. State-sponsored cyber terrorism might get all of the press headlines, but a healthcare provider is far more susceptible to something as simple as a lost laptop or an improperly wiped digital device. As mentioned in our webinar this past Wednesday, the proliferation of IT and other healthcare digital products is empowering healthcare organizations to deliver better care to their patients. Nevertheless, the loss of patient data through these devices should always be at the forefront of a CIO’s mind.

The Cost of a Healthcare Data Breach

As with all data breach settlements with HHS, the settlement figure only shows us the tip of the financial iceberg. After taking into account the costs associated with patient notification and credit monitoring services that a covered entity must legally include, the actual cost of this incident is very likely to represent a multiple of the HHS settlement amount.

The Author
Krishna Kurapati

With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.

Healthcare's Most Flexible Collaboration Platform

Engaging Patients and Connecting Care Teams Through Interactive Digital Conversations

Learn More