Connecticut city pays $202K HIPAA fine for failing to terminate former health department employee’s PHI access

OCR determined that the health department failed to perform an enterprise-wide threat analysis and stopped working to carry out termination procedures, access controls and HIPAA privacy guideline policies and treatments. In addition to the monetary settlement, the department has also concurred to a restorative action strategy and two years of tracking by the OCR..

More articles on cybersecurity: Arkansas medical center clients monetary details exposed in lockbox security incidentOhio healthcare facility inadvertently published protected health details online: 4 detailsNearly 700,000 health records breached in October.

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this material? View our policies by clicking here.

Jackie Drees –
Monday, November 2nd, 2020

The New Haven (Conn.) Health Department has actually consented to pay HHS Office for Civil Rights $202,400 over a 2017 HIPAA breach related to incorrect termination of a previous employees access to client medical records..

An OCR examination discovered that on July 27, 2016, a former worker went back to the New Haven Health Department 8 days after being fired and logged into her old computer utilizing her still-active user account information. She then downloaded PHI consisting of client names, addresses, dates of birth, gender and sexually sent illness test results onto a USB drive. The previous employee also shared her user ID and password with an intern, who continued to utilize the qualifications to access PHI on the departments network after the worker was ended..

The health department submitted a breach report with OCR in January 2017 stating that a previous employee may have accessed a file on its computer system which contained the protected health info of 498 people, according to the Oct. 30 news release..