DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Affinity Health Plan notifies over 409,000 of breach

Posted on April 20, 2010 by Dissent

Cross-posted from phiprivacy.net:

On April 5, Affinity Health Plan issued a press release concerning a “potential security breach” of customer, provider, and staff personal information.

According to the release, Affinity was informed on March 17 that an office copier leased previously by it and since returned to the leasing company might contain personal information on its hard drive. As of the April 5 statement, the company had not yet retrieved the hard drive nor had an opportunity to examine it, but according to the company, some of the personal information on the copiers may have included Social Security numbers, dates of birth, and medical information.

As a result of the situation, Affinity began contacting the leasing company to retrieve hard drives of other copiers it had leased in the past and is changing its practices with respect to scrubbing hard drives on leased equipment before it is returned.

Although the need to scrub or safely destroy copier hard drives has been discussed in security and privacy circles since at least 2002, Affinity admits that they were not aware of the risk:

“Like many organizations across the country, we were not aware copy machines contained hard drives that need to be wiped,” said Abbe Abboa-Offei, senior vice president of Customer & Community Connections. “Safeguarding the confidentiality of protected health information and other personally identifiable information of our customers is a priority for us, and we have immediately notified all those potentially affected as well as appropriate regulators and authorities.”

According to its statement, Affinity serves more than 250,000 members in an area that includes New York City, Long Island, and the surrounding counties of Westchester, Rockland and Orange.

In its notification to the NYS Consumer Protection board about the breach, the company indicated that 409,262 NYS residents were affected. A spokesperson for Affinity with whom I spoke yesterday explained that the 409,262 figure includes former and current employees, providers, applicants for jobs, members, and applicants for coverage, and represents the company erring on the side of caution as they have not yet concluded their forensic examination.

Although the spokesperson would not go beyond the press release and directly confirm that a breach had occurred, a report by CBS News on April 15 confirms that confidential information was on the hard drive, which had been found at a warehouse in New Jersey, ready to be sold:

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Whether other types of personally identifiable information, including SSN and employee or provider data, were on the drive remains to be confirmed.

Category: Breach IncidentsBreach TypesExposureHealth DataOf Note

Post navigation

← Mass. Eye and Ear Alerts Patients to Laptop Theft and Data Breach
Mass. Eye and Ear Alerts Patients to Laptop Theft and Data Breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.