OCR, Affinity Health Plan Reach Settlement on Photocopier Breach Case

OCR, Affinity Health Plan Reach Settlement on Photocopier Breach Case

In a week including several high profile HIPAA breach incidents and settlements, the Department of Health and Human Services announced the biggest one of all: a settlement agreement with Affinity Health Plan stemming from an incident in 2010 when it was discovered that an improperly wiped photocopier compromised the PHI of over 300,000 patients. Affinity and HHS agreed to settle the case for $1,215,780.

The Data Breach Incident in the Healthcare Field

What was notable about this particular incident was not necessarily the high settlement figure or even the large number of patients involved, but the bizarre nature of the incident itself. In the period leading up to the incident, the New York-based health plan had been leasing the digital photocopier. After the next user, CBS, purchased the copier from the leasing agent, it discovered hundreds of thousands of patient records that had not been deleted off the hard drive before the end of Affinity’s lease term.
HIPAA data breaches in the healthcare field
This incident underscores the greater risk that compliance or information officers need to take into account in their risk assessments: the human factor. State-sponsored cyber terrorism might get all of the press headlines, but a healthcare provider is far more susceptible to something as simple as a lost laptop or an improperly wiped digital device. As mentioned in our webinar this past Wednesday, the proliferation of IT and other healthcare digital products is empowering healthcare organizations to deliver better care to their patients. Nevertheless, the loss of patient data through these devices should always be at the forefront of a CIO’s mind.

The Cost of a Healthcare Data Breach

As with all data breach settlements with HHS, the settlement figure only shows us the tip of the financial iceberg. After taking into account the costs associated with patient notification and credit monitoring services that a covered entity must legally include, the actual cost of this incident is very likely to represent a multiple of the HHS settlement amount.