Failure of New Haven, CT to Remove Past Employee’s Access Rights Led to $202,000 HIPAA Fine

The City of New Haven, Connecticut has made the decision to resolve its HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights by paying off $202,400 as a financial penalty.

OCR started an investigation in May 2017 right after getting New Haven’s data breach notice on January 24, 2017. OCR looked at whether the data breach was associated to likely HIPAA Rules violations.

In the course of OCR’s investigation, it was found out that the New Haven Health Department had terminated a staff on July 27, 2016 in the course of her probationary period. The ex-employee went back to the New Haven Health Department on July 27, 2016 together with her union representative and utilized her job key to gain access to her old office and closed herself within along with her union representative.

While in the office, the past employee signed into her old PC employing her username and password and duplicated data from her computer onto a USB drive. She additionally got personal things and files from the office and then went out of the area. A file on the PC comprised the protected health information (PHI) of 498 patients, such as names, dates of birth, addresses, ethnicity/race, sex, and sexually transmitted disease examination findings. That file was copied onto the USB drive. An intern witnessed what the ex-employee did.

OCR investigators furthermore established that the ex-employee had disclosed her access credentials with the intern, who went on using that information to access PHI on the system even when the worker was dismissed.

If the New Haven Health Department deleted the past employee’s sign-in credentials during her end of the contract, a data breach might have been averted. If all users were granted their own, distinct login credentials, it’s possible to properly find out the system activity of any person and determine their access of electronic protected health information.

OCR deduced that between December 1, 2014 and December 31, 2018, HIPAA Privacy Rule policies and procedures weren’t enforced, New Haven didn’t implement measures for stopping ePHI access when the work of, or other arrangements with, a worker concludes, and New Haven was unable to designate exclusive usernames and passwords to monitor user identity.

appropriate organization-wide risk analysis was not practiced to determine the probable threats and vulnerabilities to the integrity, availability and confidentiality of ePHI and the PHI of 498 persons was impermissibly exposed.

Aside from the financial fine, the City of New Haven agreed to undertake a corrective action plan to tackle all aspects of non-compliance. OCR is going to supervise the HIPAA compliance of the City of New Haven for two years from the date of the settlement.

Medical companies should know who in their company could access patient information all the time. If an individual’s employment concludes, access to patient data at the same time ends.

This settlement deal is the fourth that OCR reported in October 2020, and the number 15 HIPAA financial penalty for 2020.