As questions remain about the security of the Federal Services Data Hub to be used in conjunction with the Obamacare marketplaces beginning October 1, the Department of Health and Human Services (HHS) has agreed to a settlement with the not-for-profit Affinity Health Plans, Inc., for the company’s “potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.” The case stemmed from a photocopier purchased by CBS News and previously leased by Affinity that still contained sensitive personal health information on up to 344,579 individuals:
Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.
In addition to a payment of $1,215,780, Affinity must attempt to locate other copiers previously leased to remove hard drives containing additional personal data.
The OCR director for HHS stressed that this incident should be a lesson to entities that are responsible for storing and using sensitive data [emphasis added]:
This settlement could also put additional pressure on the Obama administration to provide assurance that necessary precautions are in place before the new healthcare exchanges are opened for business. As John McCormack noted in THE WEEKLY STANDARD earlier this week, Michael Astrue, former HHS general counsel and Social Security commissioner, has warned:
It is unclear what if any consequences HHS will be subject to if privacy breaches occur due to inadequate safeguards in the Obamacare marketplaces.
