Affinity Health Plan, Inc., a managed care plan, filed a breach report with the U.S. Department of Health and Human Services (“HHS”) after discovering that it had returned leased photocopiers to the leasing agents without first erasing the electronic protected health information (“EPHI”) that was stored on the copiers’ hard drives. The breach was estimated to have affected 344,579 individuals. HHS investigated the breach and concluded that Affinity had (1) impermissibly disclosed EPHI, (2) failed to perform a risk assessment of storing EPHI on the hard drives, and (3) failed to implement policies for the disposal of EPHI on the hard drives. Affinity entered into a settlement agreement with HHS, providing for a $1.2 million payment and a corrective action plan requiring Affinity to use best efforts to retrieve the hard drives and to take other measures to safeguard EPHI. A link to the HHS website discussing the settlement is available here.