Health Company Agrees to Pay HHS $1.2M After Security Breach

    Even as questions remain about the security of the Federal Services Data Hub to be used in conjunction with the Obamacare marketplaces beginning October 1st, the Department of Health and Human Services (HHS) has agreed to a settlement with the not-for-profit Affinity Health Plans, Inc., for the company's "potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules."  The case stemmed from a photocopier purchased by CBS News and previously leased by Affinity that still contained sensitive personal health information on up to 344,579 individuals:

Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act...   

Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity.  CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

    In addition to a payment of $1,215,780, Affinity must attempt to locate other copiers previously leased to remove hard drives containing additional personal data. 

    The OCR director for HHS stressed that this incident should be a lesson to entities that are responsible for storing and using sensitive data [emphasis added]:

"This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent," said OCR Director Leon Rodriguez.  “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

    This settlement could also put additional pressure on the Obama administration to provide assurance that necessary precautions are in place before the new healthcare exchanges are opened for business.  As John McCormack noted in THE WEEKLY STANDARD earlier this week, Michael Astrue, former HHS general counsel and Social Security commissioner, has warned

that "unless delayed and fixed" the Obamacare exchanges will "inflict on the public the most widespread violation of the Privacy Act in our history."

    It is unclear what if any consequences HHS will be subject to if privacy breaches occur due to inadequate safeguards in the Obamacare marketplaces.


Note: A version of this article first appeared at The Weekly Standard.