> from Affinity Health Plan, a New York insurance company, ... we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.<p>> As for Affinity Health Plan, they issued a statement that said, in part, "we are taking the necessary steps to ensure that none of our customers' personal information remains on other previously leased copiers, and that no personal information will be released inadvertently in the future."<p>For comparison, per <a href="https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf" rel="nofollow">https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf</a> - "As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals."<p>Of course, any single breach of a copier would be limited to the individuals whose documents touched that copier, and might come under this threshold. Affinity is not on the list at the moment - this may be because the news only just broke.<p>But do the regulatory bodies say "Affinity, you were found to not have a procedure for properly disposing of copiers, so we need to assume that you've leaked health information from EVERY disposed copier historically?" Only then would it be treated with the same seriousness that e.g. HIPAA-compliant SaaS services are expected to treat security. Just because copier hard drives aren't networked software doesn't mean that they don't have network-scale security problems.