Medical Record Security Breach

Physicians and medical office personnel use photocopiers all the time to scan, copy and fax patient medical records. The activity is part of routine office workflows like referring patients to specialists, accepting new patients into the practice, transferring paper records into an electronic health record, submitting information to insurance companies and so forth.

In all likelihood, few providers appreciate that these ubiquitous copy machines can be the source of security breaches involving the exquisitely sensitive patient information that has been scanned, copied or faxed.

Hopefully, a recent report by CBS News investigative correspondent Armen Keteyian has raised awareness of the risk. According to Keteyian, all copiers manufactured after 2002 are de facto computers. As such, they store images of all documents that have been scanned, copied, printed, faxed or emailed onto a hard drive.

This hard drive is easy to remove and almost never erased.

As part of his report, Keteyian purchased 4 used copiers for $300 each from a New Jersey warehouse where they were waiting to be shipped to new buyers. Keteyian’s team removed the hard drives from these copiers and used data recovery software available for free on the internet to examine them.

In a matter of hours, the team recovered tens of thousands of documents from the machines.

On the hard drive from the first machine, the team found “detailed domestic violence complaints and a list of wanted sex offenders” from the Buffalo, NY Police Sex Crimes Division. The second copier contained the names of “targets in a major drug raid” by the Narcotics Unit from Buffalo. A third machine contained design plans for a building near Ground Zero as well as “95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.”

But the real jackpot was found on the hard drive of Machine #4, which had been buy inhaler chamber leased by Affinity Health Plan, a New York insurance company. It contained “300 pages of individual medical records,” including “everything from drug prescriptions, to blood test results, to a cancer diagnosis.”

In accordance with HIPAA privacy laws, Affinity subsequently released a breach notification to state and federal regulators, and notified more than 400,000 people that their protected health information may have been exposed. Admirably, the announcements were filed on the very day they were contacted by CBS.

“You’re talking about potentially ruining someone’s life,” said Ira Winkler, a former National Security Agency analyst and an expert on digital security. “You have to take some basic responsibility and know that these copiers are actually computers that need to be cleaned up.”

It turns out that it’s not that difficult to wipe data from the hard drive of a copy machine. During his report for example, Keteyian interviewed John Juntunen, CEO of Digital Copier Security a Sacramento-based company that offers software which can scrub data from copier hard drives.

Alternatively, most copier manufacturers offer security or encryption features that can largely prevent such data leaks. Sharp copiers, for example include a feature that automatically erases data on the hard drive. It costs $500.

Apparently, most people either haven’t considered the risk or are unwilling to pay for the fix.

Meanwhile, on the day Keteyian’s crew visited the New Jersey warehouse, they saw 2 large shipping containers loaded with used copiers being loaded onto trucks. The copiers had been purchased by unknown buyers in Singapore and Argentina.

Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs, Practice Fusion