Affinity Health Plan made a public announcement that on March 17, 2010, the company was informed that an office copier it had been leasing and recently returned to the leasing company may have contained very sensitive personal information on its customers, which included: names, addresses, Social Security Numbers, dates of birth, and medical information.
It was later confirmed by an investigative story done by CBS that the copiers did in fact contain personal information of the Affinity Health Plan customers. The information contained on the hard drive of these copiers exposed more than 409,000 customers, employees, and prospective job applicant’s highly sensitive personal information.
Affinity went on to say that it was taking all the appropriate steps to ensure that no further information was contained on any other copiers previously leased and since returned and was taking additional measures such as:
- Retrieving the hard drives of any other copy machines previously leased
- Conducted an inventory of all leased equipment that contains an on-board memory/hard drives
- Ensure that all leased equipment with on-board memory/hard drives are scrubbed prior to their lease expiration date
- Reported the incident to all the relevant reporting and regulatory agencies
In closing Affinity Health Plan had this to say:
“Safeguarding the confidentiality of protected health information and other personally identifiable information of our customers is a priority for us, and we have immediately notified all those potentially affected as well as appropriate regulators and authorities,” said Abbe AbboaOffei, Senior Vice President of Customer & Community Connections.
The Department of Health & Human Services (HSS) fined Affinity Health Plan and ultimately resolved the matter with a $1,215,780 settlement for their improper treatment and disclosure of electronic personal health information.