How the Breach Occurred
Modern photocopiers store images of all documents copied, scanned, or faxed on internal hard drives. When the lease on the machines ended, the devices were returned to the leasing company without the data being wiped. In a 2010 CBS News investigation, one purchased copier from Affinity Health Plan still contained thousands of sensitive medical records, including Social Security numbers, medical diagnoses, and patient details protected under HIPAA.
Regulatory and Financial Impact
Affinity Health Plan was investigated by the U.S. Department of Health and Human Services (HHS) and agreed to pay a $1.2 million settlement. The company was also required to adopt a corrective action plan, including revising its policies for the disposal of electronic devices.
Lessons Learned: The Importance of Equipment Sanitisation
The Affinity case is a critical reminder that sensitive data can exist in unexpected places, such as photocopiers, printers, and other office equipment. Organisations must adopt comprehensive policies for the secure disposal of all equipment that has the potential to store confidential data.
Conclusion
The most secure way to ensure data cannot be recovered is by physically destroying data-containing media. NTERA can help you ensure that data is never recovered, regardless of the device type.