Connecticut city pays $202K HIPAA fine for failing to terminate former health department employee’s PHI access

The New Haven (Conn.) Health Department has agreed to pay HHS’ Office for Civil Rights $202,400 over a 2017 HIPAA breach related to improper termination of a former employee’s access to patient medical records. 

The health department filed a breach report with OCR in January 2017 stating that a former employee may have accessed a file on its computer system that contained the protected health information of 498 individuals, according to the Oct. 30 news release. 

An OCR investigation discovered that on July 27, 2016, a former employee returned to the New Haven Health Department eight days after being fired and logged into her old computer using her still-active user account information. She then downloaded PHI including patient names, addresses, dates of birth, gender and sexually transmitted disease test results onto a USB drive. The former employee also shared her user ID and password with an intern, who continued to use the credentials to access PHI on the department’s network after the employee was terminated. 

OCR determined that the health department failed to conduct an enterprise-wide risk analysis and failed to implement termination procedures, access controls and HIPAA privacy rule policies and procedures. In addition to the financial settlement, the department has also agreed to a corrective action plan and two years of monitoring by the OCR. 

More articles on cybersecurity: 
Arkansas medical center patients’ financial info exposed in lockbox security incident
Ohio hospital accidentally posted protected health info online: 4 details
Nearly 700,000 health records breached in October 

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.