A town in the United States has been fined over $200k for failing to terminate the entry rights of a former staff who stole protected overall health details.
New Haven, Connecticut, agreed to pay back a $202,400 financial penalty to the Division of Well being and Human Services’ Business for Civil Legal rights and adopt a corrective action plan that features two several years of monitoring to resolve a HIPAA (Health and fitness Insurance plan Portability and Accountability Act) violation case.
The OCR launched an investigation in Might 2017 after acquiring a information breach notification from New Haven in January of that 12 months. OCR uncovered that the city’s health and fitness division had failed to remove the entry rights of an worker who experienced been fired the earlier summer season during her probationary period.
Following getting terminated by the health office on July 27, 2016, the former worker still left work only to return with a union consultant eight days afterwards.
The OCR said: “Employing her work essential, the previous personnel entered her outdated business office and locked herself and the union consultant inside. Even though within the office, the previous staff logged into her old computer system, with her user identify and password, and downloaded data off of her computer system on to a USB drive.”
A university student intern witnessed the former personnel gathering boxes containing personal goods and paper documents before leaving the setting up with the union agent.
A file containing the secured overall health information and facts of virtually 500 sufferers was amongst the data stolen by the personnel. Facts uncovered in the security incident integrated the effects of checks for sexually transmitted health conditions together with patients’ names, addresses, dates of birth, gender, and race/ethnicity.
The fired employee experienced shared her login credentials with an intern, who applied them to obtain PHI on the network. The intern continued to obtain the facts just after the worker had been terminated.
OCR investigators identified that New Haven unsuccessful to carry out an business-extensive risk examination and unsuccessful to employ termination processes and obtain controls these types of as special person identification.
“Medical vendors want to know who in their business can accessibility individual facts at all occasions. When someone’s work ends, so will have to their accessibility to affected individual data,” claimed OCR Director Roger Severino.
Some parts of this posting are sourced from: