City of New Haven Fined €202,000 for Failure to Terminate Former Employee’s Access Rights

In Connecticut the City of New Haven has committed to paying a $203,400 financial penalty to the Department of Health and Human Services’ office for Civil Rights to compensate for a HIPAA violation case. 

An OCR investigation was initiated in May 2017 following a receipt of data breach notification originating in New Haven on January 24. OCR investigated if the City of New Haven was responsible for HIPAA violations. Following this investigation, OCR ruled that a member of staff at New Haven Health Department been fired on July 27, 2016 at a time when she was on probationary leave. The former employee went to her old office, accompanies by her union representative and used her work key to gain access to her old office where she then locked her and union representative inside. While inside she logged into her previous work computer, using her old username and password, and copied data from her computer into a USB drive. She removed personal details and items from the office and exited the building. One file in particular included the protected health information (PHI) of 498 patients – including names, addresses, dates of birth, ethnicity, gender and sexually transmitted disease test results. That file was among those that were saved to the USB drive and the former employee doing this was witnessed by an intern. 

Investigators at OCR ruled that the woman in question had also shared her login details with an intern who had continued to use this info to gain access to PHI on the network even after she was sacked.  If the New Haven Health Department had just disabled the former employee’s login credentials this data breach would have been prevented. In addition to this, if all users and employees were given unique login credentials it would have been possible to determine the activity of each individual on the system and identify actions with ePHI

OCR then found that from December 1 2014 to December 31 2018, HIPAA Privacy Rules had not been adhered to. New Haven had not allocated unique usernames and passwords or had implemented procedures for cutting off access to ePHI when the employment or arrangement of a workforce member was terminated.  An accurate organisation-wide risk assessment had not been performed to identify the possible dangers and weaknesses to the privacy, integrity and availability of electronic protected health information and there had been an impermissible disclosure of the PHI of a total of 498 individuals. 

Along with the financial penalty, the City of New Haven has agreed to adopt a corrective action plan to address all areas of ignorance of regulation. OCR will watch for the HIPAA compliance for 2 years from the date of the resolution agreement. OCR Director Roger Severino stated: “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”

The settlement is the 4th to be announced by OCR in October 2020, and the fifthteenth HIPAA financial penalty of 2020.


Author: Maria Perez