- Recent Data Breach Demonstrates the Importance of Keeping Track of Your Sensitive Information
- August 29, 2013 | Authors: Joan W. Feldman; David M. Mack; William J. Roberts
- Law Firm: Shipman & Goodwin LLP - Hartford Office
The United States Department of Health and Human Services Office for Civil Rights (“OCR”) recently announced the imposition of monetary penalties and corrective action against a New York managed care company after the managed care company reported that patient health information was retained on a leased photocopy machine returned to the leasing company. While the OCR action was the result of the managed care company’s potential violation of HIPAA (a health care privacy statute applicable to health care providers and health plans, and certain of their contractors), this enforcement action provides valuable lessons for both health care and non-health care entities alike.
The Enforcement Action
On April 15, 2010, Affinity Health Plan notified OCR of a breach of the unsecured protected health information of nearly 350,000 individuals. Affinity learned of the breach after a representative of the CBS Evening News informed Affinity that it had purchased a copier previously leased by Affinity and that the copier contained confidential health information on its hard drive.
Upon notification, OCR investigated the incident and its investigation indicated that Affinity impermissibly disclosed protected health information when it returned multiple copiers to its leasing agents without erasing the data from each copier’s hard drive. Affinity settled the potential violations by agreeing to a $1,214,780 payment and a corrective action plan requiring Affinity to, among other things, retrieve other hard drives on copiers previously leased by it.
This enforcement action has implications for virtually any business or entity that collects and maintains personal information, whether such information is health-care, financial or personal (i.e. Social Security numbers) in nature. Over the last several years, such businesses have found themselves subject to an increasing number of data privacy and security laws, which, in general, impose obligations upon the businesses to protect the privacy and security of the health care, financial or personal information they maintain and to take steps to prevent the improper disclosure of such information. As such, businesses should carefully assess their collection, storage, use and destruction of data - even in places where they may have not known data to exist (like a photocopier hard drive).
Businesses may find themselves subject to one or more of these data privacy and security laws and should seek the advice of counsel to understand and satisfy the requirements of each. While enforcement activity and penalties vary by law and state, it is safe to say that businesses face continually increasing exposure for data privacy and security liability and should be taking steps to mitigate that liability and reduce the risks of a breach. As Affinity shows us, data may be hiding in unlikely places and even a single oversight may result in a substantial breach and significant penalties and costs. Regardless of your specific industry or the specific laws that apply to you, the following best practices will go a long way in ensuring that your data is secure and the risk of a breach is mitigated:
- Consider carefully where personal information you collect or maintain is stored or used, including computer systems, mobile devices, copiers, facsimile machines, and paper storage. Pay particular attention to cell phones, USB drives and cloud storage applications.
- Consider obtaining an independent analysis of your data use and storage. It is often beneficial to have a fresh set of eyes.
- Prepare an inventory of all the devices your business or employees possess which maintain personal information.
- Adopt policies to ensure that upon disposal or return of a device, all data maintained on that device is erased in accordance with industry standards.
Fortunately, there are several resources made available to businesses by government regulators to assist with securing and protecting the personal information they collect and maintain. Some resources of general applicability include:
- The National Institute of Standards and Technology publishes a wide range of resources for securing data, including encryption, data transmission, data storage and securing mobile devices. Such publications are available at http://csrc.nist.gov/publications/PubsSPs.html. Of particular note in light of Affinity is Computer Security: Guidelines for Media Sanitization available at http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800-88-r1-draft.pdf.
- Businesses that are considered “business associates” under HIPAA are encouraged to review OCR’s guidance on complying with HIPAA’s security standards. Information is available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html.
- Businesses subject to the Gramm-Leach-Bliley Act are encouraged to review the resources provided by the Federal Trade Commission at http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act.
In addition, businesses concerned about their photocopiers are encouraged to consider Copier Data Security: A Guide for Businesses published by the Federal Trade Commission and available at http://business.ftc.gov/documents/bus43-copier-data-security.