Improper Disposal of Hard Drives Leads to Large Healthcare Data Breach

How careful are you at following HIPAA regulations? Are you making any mistakes, even if those mistakes are inadvertent? A recent healthcare data breach in Maine is raising awareness to the importance of choosing the right methods and ITAD providers for data destruction and e-recycling.

The HIPAA Privacy Rule lays clear foundations on what a healthcare office or company must do to keep protected health information (PHI) private. Only authorized users are allowed to access electronic information systems. When someone is away from their desk, they must logout of all applications that access patient information. The HIPAA Security Rule goes a step further and addresses the importance of having policies and procedures in place when it comes to end-of-life electronics used in medical settings.

When a firm fails to dispose of computers and other electronics in accordance with the law, the risk of data theft is all too real. Volunteers and employees have to be appropriately trained and fully understand how to dispose of any medical electronics. This includes wiping hard drives and destroying the electronics after data is destroyed. Data destruction sanitizes the information on a hard drive or storage device before the electronic item is shredded for recycling or restored to factory settings for resale.

The problem is that even with protections and rules in place, breaches still occur. Some of them are directly linked to poor e-recycling methods that fail to follow HIPAA rules. You may be making mistakes without realizing it.

Hard Drives Aren’t Properly Wiped of Data

On September 9, 2021, HealthReach Community Health Centers notified 101,395 Maine residents of a massive potential healthcare breach at the community healthcare organization. The Waterville, Maine, practice learned of a possible violation from hard drives that were not disposed of properly.

Instead of being wiped and shredded, several hard drives were improperly disposed of by a third-party storage facility. Information on those hard drives included patient names, SSNs, dates of birth, financial account numbers, lab/test results, insurance details, passwords, security codes, and PINs.

In addition to the Maine residents, another 15,503 people from other states were also affected. Every patient of HealthReach is being asked to monitor their accounts and credit report. HealthReach had not been notified that information was being fraudulently used, but the risk is there. Affected consumers were offered a year of credit monitoring, dark web monitoring, and identity theft protection services. Plus, patients receive a $1 million reimbursement insurance policy through IDX/Transunion.

The investigation into the improper hard drive disposal is ongoing. But, it’s essential to realize that HealthReach is not the only healthcare organization to face a breach of this nature. It’s estimated that 1 out of 4 data breaches is caused by negligence. The HIPAA Journal reported that improper disposal of electronics incidents were reported 16 times in 2020, with close to 600,000 records potentially exposed in these incidents.

How Do You Prevent Negligence-Related Data Breaches?

It’s in everyone’s best interest to prevent breaches related to negligence. If you don’t take measures to follow HIPAA rules, you face fines. Companies paid more than $13.5 million in fines during 2020. The penalties for HIPAA violations are:

  • Fines of $100 to $50,000 per violation ($25,000 maximum per year) if the practice or organization used due diligence from the start.
  • Fines of $1,000 to $50,000 per violation ($100,000 maximum per year) if there’s a reasonable belief that the company knew.
  • Fines of $10,000 to $50,000 per violation ($250,000 maximum per year) for willful neglect with an effort made to correct the violation within 30 days.
  • Fines of $50,000 per violation ($1.5 million maximum per year) for willful neglect with no effort to correct the violation within 30 days.

When you’re disposing of unneeded or broken electronics and medical equipment, you have to be very careful. The “Final Security Rule” requires data destruction on any electronic PHI on a device being recycled, upgraded, or resold. Electronics that healthcare professionals must recycle aren’t just computers and tablets. Data destruction is also necessary on copiers, imaging equipment, printers, and anything else that stores patient information.

Per the NIST 800-88 R1, sanitization methods should follow a “Clear, Purge, Destroy” path. Take a closer look at what that includes.

  • Clear – Apply methods that rewrite information with a new value or reset to factory settings. Clearing is often done using special software or hardware that overwrites the storage space.
  • Purge – Take measures to make it impossible to locate the path to private data using methods like Cryptographic Erase, degaussing, and physical destruction by smashing or bending the item.
  • Destroy – Remove all paths to the private data and render the electronic useless through processes like incinerating, melting, or shredding.

Within the NIST 800-88 R1 guide, the government offers a guide to sanitizing different items using built-in software. It can be a time-consuming process. For example, the first step to sanitizing an iPad is to go into settings and choose “Erase All Content and Settings,” which clears and purges simultaneously. The user then needs to check files and folders to make sure everything is gone. At this point, the information should be incinerated, shredded, or melted.

Is that really enough? If you’re the owner or manager of a medical office, you have to be very careful not to risk making a mistake. Hire an expert that is knowledgeable in data destruction and e-recycling for medical electronics.

Hire an Expert in Data Destruction Services

The best way to ensure you comply is by hiring an ITAD provider certified in data destruction (NAID) and responsible recycling (e-Stewards and R2). ERI is the only company to choose as your partner when you’re upgrading your equipment, getting rid of unnecessary equipment, or disposing of broken electronics. We hold NAID, e-Stewards, and R2 certifications. We also offer several levels of data destruction following NIST 800-88 Rev1 or NSA/CSS Storage Device Sanitization rules.

When you choose ERI, we offer data destruction and shredding at your office or one of our eight locations. If you choose us for data destruction and e-recycling, enhanced and high-security services are available and add protections like TSA-certified drivers or video verification of the data destruction process. All of our facilities provide:

  • 24/7 video surveillance
  • Fenced and gated perimeters
  • Guarded areas 24/7
  • Metal detectors and RFID/Proxy Ready doors in secured areas
  • Monitoring with motion-detection alarms and security cameras
  • Secured (authorized personnel only) Asset Management and Data Destruction areas
  • Security gates on all doors, loading docks, and trucks

Before you choose an ITAD provider, think carefully. Research your options. Remember that the recent healthcare breach involved a third-party vendor who didn’t properly destroy the hard drives. ERI has years of experience and has helped dozens of companies with their ITAD needs. Call us to learn more about your medical office’s ITAD needs, and we’ll walk you through the options that ensure you’re in compliance. We can’t stop you from choosing someone else, but we urge you to check the provider’s certifications. It can make a big difference in ensuring you avoid fines for HIPAA violations.