Conn. AG Investigates Breach DisputeFired IT Director, Clinic at Odds Over Incidents
An acrimonious dispute between a community health center and its former IT director has evolved into a breach investigation by Connecticut's attorney general.
See Also: The Global State of Online Digital Trust
The case involves Middletown-based Community Health Center, which operates 13 public clinics in the state, providing primary care services in medicine, dentistry and behavioral health, including specialized care services to patients with HIV/AIDS.
In an interview with Information Security Media Group, the center's former IT director, Ali Eslami, alleges he was terminated in February from his position at CHC, where he had worked for 14 years, because he had confronted the organization's top management about unmitigated security vulnerabilities, including a possible breach involving hacking and potential credit card fraud .
He also alleges that when CHC shipped him his personal belongings, the shipment contained a hard drive containing data on about 130,000 patients, which Eslami says he turned over to the state. The Connecticut AG's office is investigating the matter.
Meanwhile, CHC denies that it shipped Eslami the hard drive. "Items returned were of a personal nature and did not include any data. They were thoroughly vetted by members of senior management to assure this," CHC says in a statement to ISMG.
The clinic also claims that Eslami had "threatened to intentionally disclose protected health information of CHC clients that he allegedly possesses. We take all such threats seriously. We have notified the appropriate local, state and federal authorities of these and other threats."
In injunction documents filed by CHC on June 12 in the Connecticut Superior Court, the organization says that before his termination, Eslami refused to provide the encryption key for data stored on his clinic-owned laptop and passwords for "critical CHC IT accounts such as Amazon cloud computing."
Eslami told ISMG that he did not provide the encryption key to an Apple laptop and password to the cloud-based data because during that time in February he had been forced by the center to take a leave "for mental exhaustion" and was not permitted to log on to center's computer systems. He alleges that CHC forced him to take the leave and then subsequently terminated him as retribution for confronting the center's top management in January with his suspicion that the clinic's systems had been hacked and were being using for credit card and other fraud.
Eslami says his allegations were based, in part, on discovering credit card information on clinic systems not used for financial or payment transactions, including a system used only to "push out" appointment reminders to patients. That system is set up to only contain patient and clinician names and appointment dates. Eslami says he suspected the center's system vulnerabilities had been exploited because the center allegedly "lacked resources for information security."
The state AG's office sent a letter to CHC in April as part of an inquiry into Eslami's allegations of a breach possibly involving credit card data.
In reply, CHC sent a letter to the attorney general that, according to a copy provided to ISMG by the AG's office, states: "An employee of CHC believes that there may have been exfiltration of data from CHC's computer systems. Based on this belief, CHC and its IT professionals took down CHC's computers systems" for independent forensic reviews, as well as consultation with the FBI's cybercrime unit. As a result of the investigation, "CHC did not identify any data breach involving electronic records of CHC," the letter states.
Meanwhile, Eslami alleges that the hard drive that CHC shipped to him along with his personal belongings had been used by CHC for "an unsuccessful local back up" of clinical data that had also been backed up on Amazon cloud. That hard drive included data for about 130,000 patients including lab results, he says. Eslami turned that hard drive into the state attorney general, alleging its shipment amounted to a breach.
In a June 13 statement, CHC says it was notified by the attorney general's office that Eslami had given the office a hard drive that Eslami claimed contained patient information. "We arranged with the AG to take possession of the device for verification. We take all such claims seriously and we have hired a third party to forensically evaluate the hard drive to determine the hard drive's origin and contents. However, we have determined that we did not provide this employee, who was our former IT director, with such a device subsequent to his termination."
An injunction granted by the court at CHC's request orders Eslami not to cause and/or threaten to cause, unauthorized use, access, interruption, misuse and destruction of the CHC computer system. It also requires that he return any property, data and passwords he has belonging to CHC, and demands that he refrain from harassing CHC CEO Mark Masselli and his family.
CHC declined to discuss the reason for Eslami's termination.
'Lots of Questions'
Brad Keller, senior vice president of the consulting firm The Santa Fe Group - which is not involved in the Connecticut dispute - says that from the sidelines, any healthcare organization that claims it cannot access its data because a former employee has the encryption key or passwords, "raises lots of questions" about the effectiveness of the entity's security and privacy policies and programs.
"If I was at that organization, I wouldn't want anyone to know that I couldn't access my data because only one employee had access to the encryption key or passwords," he says. "No one individual should ever hold the key to the kingdom," Keller says.