DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Affinity Health Plan notifies over 409,000 of breach

Posted on April 20, 2010 by Dissent

Cross-posted from phiprivacy.net:

On April 5, Affinity Health Plan issued a press release concerning a “potential security breach” of customer, provider, and staff personal information.

According to the release, Affinity was informed on March 17 that an office copier leased previously by it and since returned to the leasing company might contain personal information on its hard drive. As of the April 5 statement, the company had not yet retrieved the hard drive nor had an opportunity to examine it, but according to the company, some of the personal information on the copiers may have included Social Security numbers, dates of birth, and medical information.

As a result of the situation, Affinity began contacting the leasing company to retrieve hard drives of other copiers it had leased in the past and is changing its practices with respect to scrubbing hard drives on leased equipment before it is returned.

Although the need to scrub or safely destroy copier hard drives has been discussed in security and privacy circles since at least 2002, Affinity admits that they were not aware of the risk:

“Like many organizations across the country, we were not aware copy machines contained hard drives that need to be wiped,” said Abbe Abboa-Offei, senior vice president of Customer & Community Connections. “Safeguarding the confidentiality of protected health information and other personally identifiable information of our customers is a priority for us, and we have immediately notified all those potentially affected as well as appropriate regulators and authorities.”

According to its statement, Affinity serves more than 250,000 members in an area that includes New York City, Long Island, and the surrounding counties of Westchester, Rockland and Orange.

In its notification to the NYS Consumer Protection board about the breach, the company indicated that 409,262 NYS residents were affected. A spokesperson for Affinity with whom I spoke yesterday explained that the 409,262 figure includes former and current employees, providers, applicants for jobs, members, and applicants for coverage, and represents the company erring on the side of caution as they have not yet concluded their forensic examination.

Although the spokesperson would not go beyond the press release and directly confirm that a breach had occurred, a report by CBS News on April 15 confirms that confidential information was on the hard drive, which had been found at a warehouse in New Jersey, ready to be sold:

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Whether other types of personally identifiable information, including SSN and employee or provider data, were on the drive remains to be confirmed.

Category: Breach IncidentsBreach TypesExposureHealth DataOf Note

Post navigation

← Mass. Eye and Ear Alerts Patients to Laptop Theft and Data Breach
Mass. Eye and Ear Alerts Patients to Laptop Theft and Data Breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.