Health plan Settles Breach Involving ePHI Left on Leased Photocopier Hard Drives

​A not-for-profit managed care health plan based in New York has agreed to pay $1,215,780 to the U.S. Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules, states an August 14, 2013, HHS news release. According to the news release, the health plan filed a breach report with HHS on April 15, 2010, following notification from an affiliate of CBS News that a photocopier, which was previously leased by the plan, had been purchased and found to still contain confidential medical information on the hard drive. A subsequent investigation by HHS’s Office for Civil Rights (OCR) revealed that the health plan impermissibly disclosed the electronic protected health information (ePHI) of up to 344,579 individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.