Title: Affinity Health Plan Alerts Public About Potential Security Breach
Date: 05/03/10
Business Activities: Data Management - Destruction, Breach Response
Impact to Subscriber:

A company informed the general public and the New York State Consumer Protection board regarding the potential breach of customer, provider and staff personal information (including social security numbers, dates of birth and medical information) affecting an estimated 409,262 residents of New York State; the breach occurred when the company returned a leased photocopier and they were not aware that copy machines contained hard drives that needed to be wiped. Immediate action was taken to ensure that no personal information of its customers remained on other previously leased copiers by retrieving the hard drives of the other copy machines whose leases had expired, commencing an inventory of all leased copying equipment to identify those with on-board memory or hard drives, ensuring that the contents of all machines were completely scrubbed prior to their return to the leasing company.
Authority:
Risk Guidance:
Control Guidance:

Relevance:

Background Facts:

  • Affinity Health Plan notified the New York State Consumer Protection board about a possible breach affecting an estimated 409,262 residents.

Relevance to Business Activity:  

  • data management - destruction considerations:
    • Affinity Health Plan (“Affinity”), a not-for-profit managed care plan serving the New York metropolitan area:
      • was informed that an office copier leased previously by it, and since returned to the leasing company, may contain personal information on its hard drive:
        • some of the personal information on the copiers may have included personal information of customers, providers and staff:
          • social security numbers;Risk
          • dates of birth;Risk and
          • medical information,Risk such as:
            • drug prescriptions;
            • blood test results;
            • cancer diagnosis.
      • did not directly confirm there was a breach, however:
        • a news report confirmed that confidential information was on the hard drive, which had been found at a warehouse and contained 300 pages of individual medical records.
      • stated that they were not aware copy machines contained hard drives that needed to be wiped.Risk  

 

  • breach response considerations:
    • Affinity took immediate actions to ensure that no personal information of its customers remains on other previously leased copiers, specifically it took the following measures:
      • contacted the leasing company and began retrieving the hard drives of the other copy machines whose leases have expired;Control
      • commenced an intensive inventory of all leased copying equipment to identify those with on-board memory or hard drives;Control
      • ensured that the contents of all machines are completely scrubbed prior to their return to the leasing company at the end of the lease period;Control and
      • contacted relevant regulatory agencies regarding the issue.Control
    • the company had a comprehensive program to safeguard and maintain the confidentiality of member, provider and employee personal information on computers and other devices:
      • the company stated it was now exercising the same standards for any data that may exist on its leased copying equipment.Control
    • although there was no evidence that customer information was used or compromised in any way, it made the following recommendations to customers and staff:
      • check all bank and credit accounts for anything suspicious;
      • report anything that does not look right at once to the bank or credit card company;
      • check explanations of payment for any medical services that were not received;
      • report anything that does not look right to any health care provider; and
      • place a free 90-day fraud alert on any credit file.
    • in its notification to the NYS Consumer Protection board about the breach:
      • the company indicated that an estimated 409,262 NYS residents were affected:
        • the number represents the company erring on the side of caution as they have not yet concluded their forensic examination and do not know who exactly was affected:
          • the figure includes former and current employees, providers, applicants for jobs, members, and applicants for coverage.  


Source Documents:

https://www.affinityplan.org/uploadedFiles/Affinity_Home/Who_We_Are/PressRelease_040510.pdf

http://www.databreaches.net/?p=11309

Privacy Statement · Legal notice