Photocopier Fallout: Company Notifies 409,000 of Data Breach

By: Michael Rey
Topics: News

When Armen Keteyian first reported the story on digital copiers and their hard drives on April 19, there were no known cases of data breaches coming from copy machine hard drives.

In an ironic twist, our story became the first publicly known case of a data breach from a copy machine hard drive when we purchased a copier that had once been owned by Affinity Health Plan.

Because of medical privacy laws, Affinity was required to then file a breach notification to state and federal regulators and notify all of its clients and everyone who might have ever had information on Affinity copy machines, including current and former employees. They sent out a breach notice on April 5, saying the company had been told of the hard drive problem on March 17th, the day they were first contacted by CBS News.

Affinity told 409,262 individuals that their personal or medical data may have been compromised, according to a filing with the New York State Consumer Protection Board.

Medical records for nine individuals were found on the digital copier that we purchased in a wholesale warehouse. The copier had once been in use at the Affinity headquarters in the Bronx.

On that same copier, we also found hundreds of pages of non-medical documents, including driver's licenses, social security cards, W-2 forms and even a handwritten love note.

CBS News returned the hard drives in a sealed envelope to a representative of Affinity on April 8.

5 Comments Have Your Say
Email Story Send to a Friend
Share This Tell Your Friends
Tweet This Tweet This
More Share It

Add a Comment


by walleyek April 27, 2010 10:54 AM EDT: Copy machine hard drives should be the self-encrypting variety. A user must authenticate to it just like he/she would to their computer's encryption system.; Reply to this comment


by IT_Department_Guy April 27, 2010 9:01 AM EDT: FYI -

What most Employees do not realize is that any paper document you put on a photocopy machine and copy (whether private or business) is automatically "digitalized" and is immediately viewable by your IT Guy on his computer screen (if he/she has high enough company IT access rights).

So it's not just after the photocopy machine is sold that your paper copied document is viewable by a stranger, it's the second you press the "copy" button that someone in your company can (electronically) look over what you've just copied on the photocopy machine right from their PC.; Reply to this comment


by bobnjersey April 26, 2010 6:35 PM EDT: [Affinity told 409,262 individuals that their personal or medical data may have been compromised, according to a filing with the New York State Consumer Protection Board.

Medical records for nine individuals were found on the digital copier that we purchased in a wholesale warehouse. The copier had once been in use at the Affinity headquarters in the Bronx. ]

excellent ... nine people's records were found on the copier ... and they notify over 400,000 people of a medical records breach?; Reply to this comment

by kenhamlett April 26, 2010 6:13 PM EDT

This highlights the value of the news media in exposing what would otherwise have been ignored by the companies and law enforcement. This is not the first known case but it has been routinely ignored even portrayed to me as legal to accumulate other peoples documents and data from copy machines. I see no difference between copiers, computers or file cabinets. All can be abused.
I would like to thank CBS for bringing this to the attention of the public. Maybe this time someone will listen.

Reply to this comment


by pete_in_az April 26, 2010 8:52 PM EDT: I doubt it. If someone does, it will just mean more junk in the landfills to avoid a lawsuit because it will be cheaper to shred the copiers then destroy the data on them and certify that.