In an ironic twist, our story became the first publicly known case of a data breach from a copy machine hard drive when we purchased a copier that had once been owned by Affinity Health Plan.
Because of medical privacy laws, Affinity was required to then file a breach notification to state and federal regulators and notify all of its clients and everyone who might have ever had information on Affinity copy machines, including current and former employees. They sent out a breach notice on April 5, saying the company had been told of the hard drive problem on March 17th, the day they were first contacted by CBS News.
Affinity told 409,262 individuals that their personal or medical data may have been compromised, according to a filing with the New York State Consumer Protection Board.
Medical records for nine individuals were found on the digital copier that we purchased in a wholesale warehouse. The copier had once been in use at the Affinity headquarters in the Bronx.
On that same copier, we also found hundreds of pages of non-medical documents, including driver's licenses, social security cards, W-2 forms and even a handwritten love note.
CBS News returned the hard drives in a sealed envelope to a representative of Affinity on April 8.