Data Breach after Resold Fax Machine Starts to Print Private Data

by | Oct 12, 2017

A fax machine used by a Doctor at Grand Rapids, MI, based Spectrum Health System was recently found to contain the PHI of almost 20 patients. The fax machine was bought from resale shop by a local, who found documents were still stored in the memory of the machine.

When trying to print off a fax transmission report, the device began printing documents holding sensitive patient information including names, addresses, dates of birth, details of dependents, diagnoses, test results, and insurance data.

The incident was reported of Wood TV’s Target 8 team, which looked into it and traced the fax machine to Spectrum Health’s Dr. Wendy Zink.

Spectrum Health was contacted about the violation and Chief Privacy Officer Leah Voigt confirmed that all electronic equipment storing ePHI is sent to a business associate that ensures ePHI on the devices is permanently destroyed in accordance with HIPAA Rules. Spectrum Health has certification to prove that was the case and that the vendor also confirmed data had been permanently erased. The fax machine has since been recovered by Spectrum Health and all copies of PHI have been permanently erased. The privacy breach is being treated as an anomaly.

The HIPAA Security Rule – 45 CFR 164.310(d)(1) – requires HIPAA covered organizations to implement policies governing the removal of hardware containing electronic protected health information from their offices, and the transfer of those devices within their facilities.

The standard applies to portable storage devices including zip drives, hard drives, and laptop computers, but it also applies to digital photocopiers, printers, scanners, and faxes. Digital photocopiers, printers, scanners, and faxes normally store electronic copies of documents that have been copied or sent.

Movement of those devices must always be controlled and technical safeguards put in place to stop any electronic protected health information in saved documents from being viewed by unauthorized people.

As well as controlling the movement and keeping a record of those devices, covered groups must ensure that when the devices are no longer needed, any data stored on hard drives, or in the memory, are permanently destroyed.

45 CFR 164.310(d)(2)(i) and (ii) cover the disposal of electronic equipment, which require policies and procedures to be formulated and adopted to address the final disposition of ePHI, and the media on which it is stored. ePHI must be erased from electronic devices before they are re-used, scrapped, or recycled.

Before disposing of electronic media, all ePHI on the devices must be made unreadable, indecipherable, and incapable of being put back together. OCR proposes “clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media.”

If a covered organization is unable to complete these actions, a vendor can be used. That vendor would have to be considered as a business associate and a HIPAA-compliant business associate agreement would need to be signed by both parties before any devices are given over.

The failure to erase ePHI before disposal is a breach of HIPAA Rules, and one that could possibly lead to an impermissible disclosure of protected health data. It could also result in a financial penalty for noncompliance with HIPAA Rules.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy