What Does Your Copier Say About You?
By: Donna Ray Berkelhammer. This was posted Friday, July 2nd, 2010
“We are required to notify you of a security breach in which your name, address, social security number, date of birth and medical history may have been released.”
How would you like to send this notice to your 450,000 customers, the state’s consumer protection agency and your shareholders?
CBS news recently bought four used copier machines to see what was on the hard drives. CBS then downloaded a forensic software program from the Internet to “read” the hard drives of the copiers:
The results were stunning: from the [Buffalo, NY police department] sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.
The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.
But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.
Although many copiers have features to encrypt or erase scanned images, they often are not used, leaving companies at risk of releasing confidential information. As a result of the CBS reporting, a New York insurance company had to notify its insured and regulators that it had potentially revealed customer medical records. Other companies are at risk.
The Federal Trade Commission, the federal consumer watchdog, is going to investigate security breaches of this sort. Here are some tips for dealing with data breaches. If your business has been hacked or otherwise released private information, contact your business attorney to determine if you have any mandatory reporting obligations.
And when you are replacing a copier or scanner, contact an IT professional to “scrub” the hard drive.
Tags: affinity health plan, CBS news, consumer watchdog, copier hard drive, data breach, encrypt, encryption, federal privacy law, Federal Trade Commission, forensic software, FTC, hard drive, ny police department, photocopier security, privacy, scanner hard drive, scanner security, security breach, sex crimes unit, social security number