Lucy Gellman Photo
Health chief Kennedy: Unanswered questions on data breach.
New Haven’s health director wrote to hundreds of people with sexually transmitted diseases to convey unsettling news: Their personal data had been hacked.
“[A] former employee may have accessed patient demographic information in a file at the Health Department,” city Health Director Byron Kennedy wrote. “The information included your name, address, date of birth, race/ethnicity, gender and sexually transmitted disease test reports but did not include other health information, social security number or billing data.”
Kennedy wrote the letter on Jan. 20 — more than five months after he and other city officials learned that a recently fired employee had brushed past a security guard and, in the company of a union official, snuck back into her old office and eliminated from a government database the personal records of at least 587 people with sexually transmitted diseases or lead poisoning, according to a subsequent arrest warrant. The woman also transferred files from her old computer onto a thumb drive; it’s unclear whether or not those files included the patient records. Kennedy learned about the incident and contacted police the following day. Police eventually arrested the former employee on computer crime charges.
Click here to read a previous story detailing the case.
The Harp administration Thursday released a copy of a letter it said Kennedy subsequently sent to 498 of the people whose records were tampered with. (It’s unclear why that number differs from the 587 in the arrest warrant.)
“As soon as we learned that the former employee had obtained access to the Health Department offices, we notified the New Haven Police Department. To the best of our knowledge, they have not completed their investigation of the incident, but currently they do not have any indication that the information obtained had been used nefariously. We have also made internal changes to better safeguard your private information, which includes updating and re-training staff on policies pertaining to patient confidentiality, medical records, and incident reporting, and the City’s computer hardware and software policy.”
“We take the role of protecting your personal information seriously and are taking steps to prevent this from happening again in the future,” Kennedy assured recipients.
Mayoral spokesman Laurence Grotheer said Thursday that the administration heard from “a few” of the letter recipients in response to the letter.
Kennedy has not responded to requests and the Harp administration has not made him available for interviews — to explain, for instance, how security failed to stop the ex-employee from entering the office, or specifically what “steps” have been taken since, or whether the files transferred to the ex-employee’s thumb drive included the private patient information — since the news of the arrest broke last week. The administration claims that’s because the investigation is “ongoing.”
Police closed their investigation upon arresting the ex-employee on March 10. The state and the police do sometimes decline to answer questions about a pending case (and at other times do not) with the argument that it technically remains “ongoing” while it wends its way through the courts.
HIPAA rules require "These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach".
(https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
They also require a web page notice and toll free number if more than 10 individuals can't be reached.
There's also this requirement- Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.
They also have to report to HHS. There's a list of all breaches of more than 500 records online. About 20 such events are from Connecticut. This one is not listed.
The administration was negligent in allowing this to occur. Are they also negligent in not fulfilling federal regulations?
Has there been a federal investigation yet? Fines can be $10,000 for each breach, or 5.8 million dollars. Heads should roll over this.