Failure of New Haven, CT to Terminate Ex- Employee’s Access Rights Brought About $202,000 HIPAA Fine

The City of New Haven, Connecticut has decided to settle a HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights by paying $202,400 as a financial penalty.

OCR made an investigation in May 2017 after receiving New Haven’s data breach notification on January 24, 2017. OCR investigated whether the security breach was connected to possible violations of HIPAA Rules.

During OCR’s investigation, it was discovered that the New Haven Health Department had terminated a worker on July 27, 2016 while in her probationary period. The previous employee went to the New Haven Health Department on July 27, 2016 together with her union representative and used her work key to get to her old office and locked herself inside along with her union representative.

While in her office, the past employee logged into her old computer utilizing her username and password and cloned information from her PC onto a USB drive. She additionally took personal stuff and papers from the office, and then left the property. A file on the computer included the protected health information (PHI) of 498 patients, which include names, birth dates, addresses, race/ethnicity, gender, and sexually transmitted disease test results. That file was saved onto the USB drive. An intern saw what the ex-employee did.

OCR investigators furthermore confirmed that the past employee had given her access credentials to an intern, who kept on using those credentials to access PHI on the network even after the worker was dismissed.

If the New Haven Health Department removed the ex – employee’s sign-in credentials on her termination, a data breach could have been avoided. If all users were provided their own, exclusive login credentials, it would be possible to correctly identify the system activity of every individual and identify their use of electronic PHI.

OCR came to the conclusion that from December 1, 2014 to December 31, 2018, HIPAA Privacy Rule policies and procedures were not implemented, New Haven did not enforce procedures for deactivating ePHI access when the job of, or other relationship with, an employee stops, and New Haven did not provide unique usernames and passwords to track user ID.

A correct organization-wide risk evaluation was not done to know the prospective risks and vulnerabilities to the integrity, confidentiality and availability of ePHI and the PHI of 498 people was impermissibly disclosed.

Besides the financial fine, the City of New Haven consented to take up a corrective action plan to deal with all areas of noncompliance. OCR will oversee the HIPAA compliance of the City of New Haven for two years from the time of the resolution agreement.

Medical providers must know who in their company can access patient data at all times. Whenever a person’s employment ends, access to patient records likewise ends.

The settlement is the 4th that OCR announced in October 2020, and the 15th HIPAA financial penalty of 2020.