US City Fined Over Former Employee’s Data Theft

  • A town in the United States has been fined over $200k for failing to terminate the obtain legal rights of a former staff who stole secured wellbeing information and facts.

    New Haven, Connecticut, agreed to pay out a $202,400 fiscal penalty to the Section of Well being and Human Services’ Place of work for Civil Legal rights and undertake a corrective action plan that incorporates two decades of checking to take care of a HIPAA (Well being Insurance policies Portability and Accountability Act) violation scenario.

    The OCR introduced an investigation in Might 2017 immediately after acquiring a information breach notification from New Haven in January of that 12 months. OCR uncovered that the city’s overall health section had unsuccessful to take out the access legal rights of an personnel who experienced been fired the past summertime through her probationary time period.

    After remaining terminated by the well being office on July 27, 2016, the former personnel left do the job only to return with a union representative 8 times later.

    The OCR mentioned: “Working with her work essential, the previous worker entered her outdated place of work and locked herself and the union consultant within. Though within the place of work, the previous employee logged into her aged laptop or computer, with her person title and password, and downloaded details off of her laptop on to a USB generate.”

    A college student intern witnessed the former worker collecting boxes containing particular objects and paper paperwork just before leaving the making with the union agent.

    A file containing the guarded well being information and facts of virtually 500 people was among the info stolen by the personnel. Information and facts exposed in the security incident bundled the final results of assessments for sexually transmitted illnesses along with patients’ names, addresses, dates of delivery, gender, and race/ethnicity.

    The fired staff experienced shared her login qualifications with an intern, who utilised them to access PHI on the network. The intern ongoing to entry the information right after the worker experienced been terminated.

    OCR investigators discovered that New Haven unsuccessful to conduct an enterprise-large risk investigation and failed to employ termination processes and entry controls these types of as distinctive consumer identification.

    “Medical providers have to have to know who in their firm can obtain individual details at all periods. When someone’s employment finishes, so should their obtain to individual data,” stated OCR Director Roger Severino.