$1.2 Million for Breaches Caused by Photocopier Error

by | Apr 27, 2013

Protected Health Information can easily be accessed by an unauthorized personnel if a document is left in a photocopier after copies have been made; however digital photocopiers can expose the personal health data of hundreds of thousands of people.

When copies of files are made on a digital photocopier the files remain on the machine until they are deleted by the person making the copies.

Many organizations and people forget or do not realize that this is the case and do not delete the data before destroying the machine. Every file and document copied on the machine will be, possibly, available to anyone who accesses the hard drive on the copier. All digital photocopiers sold since 2002 have included a hard drive as standard.

Under HIPAA rules, it is mandatory for HIPAA covered bodies to erase all ePHI stored on hard drives before they are scrapped, decommissioned or returned to a leasing group. HIPAA-compliant healthcare organizations must make sure that their PCs, laptops and mobile devices have their data properly erased before they are decommissioned, in addition to photocopiers and all other technology that contains ePHI stored on hard drives.

On August 14, 2013, the Office for Civil Rights of the Department of Health and Human Services issued an release that a settlement had been reached with Affinity Health Plan, Inc. for making this mistake. The company had not deleted the data on a number of its photocopiers when it returned them to the leasing company at the end of the contract. The data included on the photocopiers included protected health information on up to 344,579 people according to a statement issued by the OCR announcing the settlement for the HIPAA breach.

The HIPAA breach was discovered by CBS News as part of an investigatory report. CBS reporters bought a number of digital photocopiers waiting to be sold on and were part of a batch of 6000 that were stored in a warehouse in New Jersey. The reporters chose the copiers due to the price and the numbers of documents they stored, according to the CBS report.

One of the photocopiers was from the Buffalo police department and included a document on the glass from its sex crimes division. Details of wanted sex offenders and domestic complaints were among the data obtained from the hard drives. Other machines held lists of possible suspects from major drug raids. One copier was bought that had previously been owned by Affinity Health Plan. It contained 300 pages detailing individual patient medical records, including medical treatments, test results, diagnoses, social security numbers and personal contact data.

CBS got in touch with Affinity Health Plan as part of its report warning them to the HIPAA breach and the report sparked a review by the Office for Civil Rights of the Department of Health and Human Services. It found that Affinity Health Plan had failed to exercise the necessary controls to prevent Protected Health Information from being disclosed to unauthorized personnel when it did not securely erase the photocopier hard drives.

Affinity Health Plan and the OCR have now agreed a settlement of $1.2 Million for the HIPAA violations and it must also adopt a corrective action plan to ensure that similar incidents do not happen in the future. A thorough risk analysis must be completed and all of its IT systems must be assessed for security issues. It must also put in place the appropriate safety measures into its policies and procedures to ensure that all data is securely erased going forward.

The latest violation should serve as a alert to all HIPAA covered bodies and any owner of a digital photocopier. If data is not erased before the machine is being scrapped it can easily fall into the hands of people, some of whom could be purchasing the machine specifically for the data it stores.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy