Inside TDV - The Data Vault Blog
Media Destruction is an Often Forgotten Security Measure
A recent article reports that a managed healthcare plan provider got slapped with a civil rights violation that ultimately cost it $1.2 million in fines to the Department of Health and Human Services Office for Civil Rights. It’s a situation in which a simple media destruction plan would have made all the difference.
Law.com reports that Affinity Health Plan Inc. in New York was found to have violated the Health Insurance Portablility and Accountability Act’s privacy and security rules because of – brace yourself – a leased photocopier.
When the copier was returned, it was then leased to another company which found that the copier’s hard drive contained confidential protected health information for more than 340,000 patients. That hard drive should have been removed and kept by Affinity or become a casualty of Affinity’s media destruction policy. If it even has one.
HIPAA has rules requiring healthcare businesses “to apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in any medium,” the article states. In addition, HIPAA requires entities to have policies in place regarding destruction of any media that holds patient information.
We’ve seen this before; deleting data from your hard drive or server isn’t enough. In this instance, it’s likely Affinity didn’t even realize there was a hard drive in the copier, but there is precious little leniency on the part of HIPAA when a breach has occurred. A media destruction policy is a must for businesses of all sizes.
Media should be destroyed as soon as it has been taken out of service – if left lying around, it becomes a security risk. In addition, media destruction isn’t about taking a hammer to that old hard drive; there is no assurance all the data on that drive will not be accessible.
And this doesn’t pertain only to organizations that fall under HIPAA guidelines either. Any and all personal client or customer data must be protected to avoid personal or financial information leaking.
Partnering with a company that offers secure media destruction is by far the most effective way to protect your organization. Hard drives, CDs, DVDs, servers, microfiche – whatever the medium – will be shredded and the remaining bits will be recycled, ensuring there will be no remaining trace of the data that once lived on that media.
Best of all, a media destruction plan costs a lot less than the fine for a Department of Health and Human Services violation.