Cross-posted from phiprivacy.net:

On April 5, Affinity Health Plan issued a press release concerning a “potential security breach” of customer, provider, and staff personal information.

According to the release, Affinity was informed on March 17 that an office copier leased previously by it and since returned to the leasing company might contain personal information on its hard drive. As of the April 5 statement, the company had not yet retrieved the hard drive nor had an opportunity to examine it, but according to the company, some of the personal information on the copiers may have included Social Security numbers, dates of birth, and medical information.

As a result of the situation, Affinity began contacting the leasing company to retrieve hard drives of other copiers it had leased in the past and is changing its practices with respect to scrubbing hard drives on leased equipment before it is returned.

Although the need to scrub or safely destroy copier hard drives has been discussed in security and privacy circles since at least 2002, Affinity admits that they were not aware of the risk:

“Like many organizations across the country, we were not aware copy machines contained hard drives that need to be wiped,” said Abbe Abboa-Offei, senior vice president of Customer & Community Connections. “Safeguarding the confidentiality of protected health information and other personally identifiable information of our customers is a priority for us, and we have immediately notified all those potentially affected as well as appropriate regulators and authorities.”

According to its statement, Affinity serves more than 250,000 members in an area that includes New York City, Long Island, and the surrounding counties of Westchester, Rockland and Orange.

In its notification to the NYS Consumer Protection board about the breach, the company indicated that 409,262 NYS residents were affected. A spokesperson for Affinity with whom I spoke yesterday explained that the 409,262 figure includes former and current employees, providers, applicants for jobs, members, and applicants for coverage, and represents the company erring on the side of caution as they have not yet concluded their forensic examination.

Although the spokesperson would not go beyond the press release and directly confirm that a breach had occurred, a report by CBS News on April 15 confirms that confidential information was on the hard drive, which had been found at a warehouse in New Jersey, ready to be sold:

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Whether other types of personally identifiable information, including SSN and employee or provider data, were on the drive remains to be confirmed.