A city in the United States has been fined over $200k for failing to terminate the access rights of a former employee who stole protected health information.
New Haven, Connecticut, agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights and adopt a corrective action plan that includes two years of monitoring to resolve a HIPAA (Health Insurance Portability and Accountability Act) violation case.
The OCR launched an investigation in May 2017 after receiving a data breach notification from New Haven in January of that year. OCR found that the city’s health department had failed to remove the access rights of an employee who had been fired the previous summer during her probationary period.
After being terminated by the health department on July 27, 2016, the former employee left work only to return with a union representative eight days later.
The OCR stated: “Using her work key, the former employee entered her old office and locked herself and the union representative inside. While inside the office, the former employee logged into her old computer, with her user name and password, and downloaded information off of her computer onto a USB drive.”
A student intern witnessed the former employee gathering boxes containing personal items and paper documents before leaving the building with the union representative.
A file containing the protected health information of nearly 500 patients was among the data stolen by the employee. Information exposed in the security incident included the results of tests for sexually transmitted diseases along with patients’ names, addresses, dates of birth, gender, and race/ethnicity.
The fired employee had shared her login credentials with an intern, who used them to access PHI on the network. The intern continued to access the data after the employee had been terminated.
OCR investigators found that New Haven failed to conduct an enterprise-wide risk analysis and failed to implement termination procedures and access controls such as unique user identification.
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.