Lawsuit Reveals Security Dispute Details

Connecticut Clinic Sues Fired IT Director
Lawsuit Reveals Security Dispute Details

A lawsuit filed in an ongoing dispute between a Connecticut community health center and its former IT director over an alleged security breach reveals more details about the issues involved.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

The lawsuit is another component of an acrimonious dispute, which also involves an investigation by Connecticut's attorney general into an alleged security breach potentially affecting data of up to 130,000 patients.

The case involves Ali Eslami, the former IT director of Middletown-based Community Health Center, who was fired by the organization in February. Eslami claims he was dismissed because he confronted CHC's top management about his suspicions of an alleged hacker attack on the healthcare organization's systems.

CHC alleges in its lawsuit that Eslami refused to provide the encryption key for data stored on his clinic-owned laptop and passwords for "critical CHC IT accounts such as Amazon cloud computing" and has harassed CHC CEO Mark Masselli and his family.

CHC's lawsuit also alleges, among other things, that on Feb. 26, 2014, two days after the clinic fired Eslami, he posted on You Tube, without authorization, e-mails from two CHC executives about patient satisfaction surveys.

The lawsuit seeks "in excess of $15,000" in damages and legal fees.

An injunction recently granted by the Connecticut Superior Court at CHC's request orders Eslami not to cause unauthorized use, access, interruption, misuse and destruction of the CHC computer system. It also requires that he return any property, data and passwords he has that belong to CHC.

Refuting Allegations

In an interview with Information Security Media Group, Eslami argues that CHC's allegations are an attempt to stop him from discussing on social media, including in his personal blog, circumstances involving his dismissal from the organization.

Eslami alleges he was terminated from his position, where he had worked for 14 years, due to his assertion that the clinic's systems had been breached by a man-in-the-middle attack, potentially putting data of thousands of patients at risk for ID theft and credit card fraud.

He also alleges that when the CHC shipped him his personal belongings after his termination, the delivery included a hard drive containing data on about 130,000 patients, which Eslami says he turned over to the state. CHC, however, denies that it shipped Eslami the hard drive. "Items returned were of a personal nature and did not include any data. They were thoroughly vetted by members of senior management to assure this," CHC says in a statement to ISMG.

A spokeswoman for Connecticut's AG says the matter is still under investigation by the state.

CHC declined to comment on the lawsuit or the ongoing dispute.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.