City Faces HIPAA Fine After Health Department BreachTerminated Worker Accessed PHI After Leaving Job
Federal regulators have hit a city health department with a $200,000 HIPAA settlement after a breach reportedly affected fewer than 500 individuals.
The case involved a former city employee who continued to access citizens' health records - plus shared her credentials with an intern - after the worker's job was terminated.
In a statement Friday, the Department of Health and Human Services' Office for Civil Rights says the city of New Haven, Connecticut, has agreed to pay the financial settlement and implement a corrective action plan in the wake of a 2016 incident.
HHS OCR says the New Haven Health Department filed a breach report stating that a former employee may have accessed a file containing the protected health information of about 500 individuals.
"OCR's investigation revealed that, on July 27, 2016, a former employee returned to the health department, eight days after being terminated, logged into her old computer with her still-active user name and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender and sexually transmitted disease test results onto a USB drive," OCR says.
OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven's network after the employee was terminated.
The breach incident was also the subject of a criminal case against the former employee. In 2017, state prosecutors charged the former city health worker with third-degree burglary and larceny charges in the case, according to the news site New Haven Independent.
Privacy attorney David Holtzman of the consultancy HITprivacy notes: "OCR's investigation likely came about through media coverage of criminal charges that resulted from the law enforcement investigation of New Haven city employees who allegedly played a role in this incident."
The HHS investigation focused on how the lack of effective controls and safeguards made it possible for insiders with malicious intent to access and acquire PHI without authorization or detection, he adds.
Maritza Bond, the director of New Haven's health department, tells Information Security Media Group that the city does not comment "on legal issues."
OCR's breach investigation determined that New Haven failed to conduct an enterprisewide risk analysis and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.
"Medical providers need to know who in their organization can access patient data at all times. When someone's employment ends, so must their access to patient records," said Roger Severino, OCR director, in the statement.
Corrective Action Plan
The resolution agreement calls for the health department to take a number of corrective actions, including:
- Conducting a comprehensive security risk analysis of electronic PHI;
- Developing an enterprisewide risk management plan to address and mitigate any security risks and vulnerabilities;
- Reviewing and revising written policies and procedures to comply with the HIPAA privacy and breach notification regulations;
- Reviewing and revising its policies and procedures regarding terminating access to ePHI when the employment of a workforce member ends;
- Reviewing and revising policies and procedures regarding assigning a unique name and/or number for identifying and tracking user identity;
- Distributing these policies and procedures to its workforce and providing training.
"The amount of the penalty does not tell the story of the scope and breadth of the corrective action plan that makes up the resolution agreement," Holtzman notes. "The corrective action plan reflects OCR's finding of a systemic failure to develop a culture of privacy or to implement a reasonable risk-based information security program."
The resolution agreement with the city of New Haven is the second HIPAA settlement announced by OCR this week. The agency on Wednesday announced a $1 million HIPAA settlement with insurer Aetna for three 2017 breaches (see: Aetna Fined $1 Million After 3 Data Breaches).
So far in 2020, OCR has issued more than a dozen HIPAA enforcement actions.