Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Breach Alert: Copiers Are a RiskInsurer alerts 400,000 after data found on leased copy machines
Affinity Health Plan has notified more than 409,000 customers, clinicians, employees, job applicants and others about a breach related to personal information stored on the hard drives of copiers it returned to a leasing company. The health plan also notified three state agencies plus federal authorities.
Under the HITECH Act's breach notification rule, breaches affecting more than 500 individuals must be reported to federal authorities and the media within 60 days.
"Like many organizations across the country, we were not aware copy machines contained hard drives that need to be wiped," says Abenaa Abboa-Offei, senior vice president of customer and community connections at Affinity. The insurer chose to "cast as wide a net as possible out of an abundance of caution" in deciding how many people to notify about the breach as the investigation of what data was on the copiers continues, she adds.
The company has no evidence that any of the personal information on the hard drives, which included Social Security numbers, names and addresses, has been compromised, Abboa-Offei says. The not-for profit insurer serves about 250,000 members in the New York City metropolitan area.
However, in notifying those whose information may have been on the copiers' hard drives, it advised them to monitor their bank and credit accounts, check their credit reports and place fraud alerts on their credit files as well as "check your explanations of payment for any medical services you did not receive and report anything that does not look right to us or your healthcare providers."
How the problem was discovered
As part of an investigation, CBS Evening News bought four copy machines from a company that had leased them to four different organizations, including Affinity, and hired a firm to analyze what was on their hard drives. The machine that Affinity had used contained confidential medical information, according to the analysis by Digital Copier Security Inc., Shingle Springs, Calif.
Once the managed care plan learned on March 17 that one of the copiers it returned contained a hard drive that may contain personal information, the insurer contacted the leasing company to retrieve hard drives of other copy machines whose leases have expired.
Most copiers have hard drives
Most copiers used in business settings are leased, "and I'd say 80 percent or more of the machines in use today have at least one hard drive," says Sean O'Leary, a senior analyst with Digital Copier Security. The hard drives are necessary, he says, because most copiers also now handle printing, faxing, scanning and e-mail.
The information stored on a copier's hard drive varies widely by manufacturer, O'Leary says. "Some machines more readily capture and store images on the hard drive. Some have a hard drive that has a large part of its capacity used for operating code."
O'Leary advises healthcare organizations to identify which copiers have hard drives and then take security precautions similar to those used for personal computers. For example, the organization may want to restrict who can use the copier and train staff members on what information should not be copied, scanned or e-mailed using the device.
Before returning a leased copier, the user should remove all information from the hard drive, O'Leary stresses. For example, Digital Copier Security offers a service that involves scrubbing the hard drive, removing it, destroying it, and replacing it with a new drive before the copier is returned.
In the wake of the incident, Affinity is conducting an inventory of all leased copiers to identify those with hard drives and then make sure all information is scrubbed before the copiers are returned.
"Moving forward, our policy on handling hard drives for copiers will be the same as for any other equipment we lease, such as computers, scanners, laptops and fax machines," Abboa-Offei says. "For all leased equipment, we have a rigorous process for ensuring information is destroyed before we return the device."
Affinity's experience offers a valuable lesson for other healthcare organizations, Abboa-Offei notes. "It's important that other organizations learn from this example and follow Affinity's lead in ensuring hard drives on photocopiers are scrubbed," she says. Awareness of hard drives on copiers "is really an issue that needs to be taken quite seriously," she stresses. "That extends to the public at large. If you make a copy at a library or a photocopy shop, be vigilant about what you are copying."