News & Resources

Healthcare provider to pay big for data compromise

Aug 17, 2013 Dave King

In the healthcare industry, organizations are trusted with an ever-increasing amount of sensitive and confidential patient information. So when a data breach occurs and individuals become victims of identity theft, providers can face steep fines and a loss of public trust.

Most recently, New York-based managed care provider Affinity Health Plan learned this lesson the hard way. In April, the organization was alerted to a breach grounded solidly in human error, Health Data Management reported. CBS Evening News contacted Affinity to inform it that a copier previously leased by the health provider and recently purchased by the news show still contained confidential medical data on its hard drive.

Immediately, Affinity filed a report with the United States' Department of Health and Human Services' Office for Civil Rights, estimating that potentially up to 344,579 people were affected by the breach, the news source stated.

"The investigation revealed that Affinity failed to incorporate the electronic protected information stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents," Health Data Management explained.

As a result, Affinity will pay a $1,215,780 fine as well as comply with an outlined corrective action plan. Among the items outlined, the healthcare provider will need to retrieve the hard drives that contained the patient information and adopt additional security measures to prevent breaches from occurring in the future.

CBS Evening News featured the breach as part of its program that month, using it as way to look at the data security risks created by machines that have storage capabilities and the dangers created when they are improperly disposed of.