Dear Patient

Lucy Gellman PhotoNew Haven’s health director wrote to hundreds of people with sexually transmitted diseases to convey unsettling news: Their personal data had been hacked.

“[A] former employee may have accessed patient demographic information in a file at the Health Department,” city Health Director Byron Kennedy wrote. “The information included your name, address, date of birth, race/ethnicity, gender and sexually transmitted disease test reports but did not include other health information, social security number or billing data.”

Kennedy wrote the letter on Jan. 20 — more than five months after he and other city officials learned that a recently fired employee had brushed past a security guard and, in the company of a union official, snuck back into her old office and eliminated from a government database the personal records of at least 587 people with sexually transmitted diseases or lead poisoning, according to a subsequent arrest warrant. The woman also transferred files from her old computer onto a thumb drive; it’s unclear whether or not those files included the patient records. Kennedy learned about the incident and contacted police the following day. Police eventually arrested the former employee on computer crime charges.

Click here to read a previous story detailing the case.

The Harp administration Thursday released a copy of a letter it said Kennedy subsequently sent to 498 of the people whose records were tampered with. (It’s unclear why that number differs from the 587 in the arrest warrant.)

“As soon as we learned that the former employee had obtained access to the Health Department offices, we notified the New Haven Police Department. To the best of our knowledge, they have not completed their investigation of the incident, but currently they do not have any indication that the information obtained had been used nefariously. We have also made internal changes to better safeguard your private information, which includes updating and re-training staff on policies pertaining to patient confidentiality, medical records, and incident reporting, and the City’s computer hardware and software policy.”

“We take the role of protecting your personal information seriously and are taking steps to prevent this from happening again in the future,” Kennedy assured recipients.

Mayoral spokesman Laurence Grotheer said Thursday that the administration heard from “a few” of the letter recipients in response to the letter.

Kennedy has not responded to requests and the Harp administration has not made him available for interviews —  to explain, for instance, how security failed to stop the ex-employee from entering the office, or specifically what “steps” have been taken since, or whether the files transferred to the ex-employee’s thumb drive included the private patient information —  since the news of the arrest broke last week. The administration claims that’s because the investigation is “ongoing.”

Police closed their investigation upon arresting the ex-employee on March 10. The state and the police do sometimes decline to answer questions about a pending case (and at other times do not) with the argument that it technically remains “ongoing” while it wends its way through the courts.

Tags: , , ,

Post a Comment

Commenting has closed for this entry


posted by: DrJay on April 14, 2017  6:26pm

HIPAA rules require “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach”.
They also require a web page notice and toll free number if more than 10 individuals can’t be reached.

There’s also this requirement- Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.

They also have to report to HHS.  There’s a list of all breaches of more than 500 records online. About 20 such events are from Connecticut. This one is not listed.

The administration was negligent in allowing this to occur. Are they also negligent in not fulfilling federal regulations?

Has there been a federal investigation yet? Fines can be $10,000 for each breach, or 5.8 million dollars. Heads should roll over this.

posted by: IloveMYcity203 on April 14, 2017  9:53pm

As a IT professional and former System Admin, this should have never happened. Why? Rule #1 is disable any login credentials and access to any systems as soon as the person is no longer with the company, organization or whatever he or she belonged to. IT dept. is notified by e-mail to all managers and staff letting them know last day of employment and whether or not this is effectively immediately or will take place at a later date.

The question is not about how she got into the office, it is why was she still able to access the system? Yes. I did read that the intern was using her account, but why keep an account of a former employee who could VPN in from the outside active? Just create an account for the intern and give access to files/folders on a “need” basis.

I would be curious to know the level of IT experience for people who are in charge and running the information technology department. Any degrees? Years of experience? Are these contract jobs? Things that make you go hmmmm.

posted by: mailuser1221 on April 16, 2017  8:16am

@IloveMYcity203 The titles and salaries for the Division of Information and Technology can be found on page 2-57 of: 2016-2016 BOA Approved Budget.pdf

It’s part of the Department of Finance.  Your pertinent questions should be directed to the Controller.

I wholeheartedly agree violations with implications seems to have occurred but I find it interesting that New Haven, home of “pick and choose” what Federal laws to obey, has an issue here.  Simply have a rally and shout HIPAA rules don’t apply here.  Sanctuary from the rules and laws means no violations occurred, right?

Of course not.  If an illegal alien comes in through Texas, does it matter to someone in Wyoming?  If HIPAA laws were broken in New Haven does it matter to someone in Hawaii? 

If there is answer is yes then laws are laws and all of them apply, not some.  If these individuals file claims, or if City employees get in trouble, you have to negate those actions based on New Haven’s Sanctuary Pick and Choose Policy of what Federal laws apply, will be followed or ignored.

It’s not some laws, those that you like versus those that you don’t.  Law is the law and let’s see how Sanctuary New Haven handles this.

posted by: lookingIn on April 17, 2017  2:06pm

@IloveMYcity203 I agree with you this should have never happened per rule #1 but this has nothing to do with degrees or years of experience, it is a matter of following industry standard I.T. policies, which were either never defined or not followed at the City of New haven.

posted by: Jabra1 on April 19, 2017  8:26am

What I am curious about is the obvious, why the Union directed a member to accompany and assist a former city employee (not a union member) beyond general civility to commit a crime, violating more than 500 residents of this City. As a resident, I want my fellow residents to get some justice, and that can start by those union officials involved in resigning.  The Union Officials who participated in this crime should be disciplined immediately.  If this were the private sector they would have been terminated without delay.  Oh, Union members seeking a wage hike, well maybe if criminal acts were not condoned and supported by this group, the money from future lawsuits could go to the law abiding members of the Union for wages and benefits.

As a side, generally speaking unarmed physical security officers are monitors, just like they are portrayed in a current popular TV commercial. The security individual in this article informed someone that and individual was on the way to the department