Four years after a data breach that compromised the personal information of hundreds of New Haveners with sexually transmitted diseases, the city has agreed to pay a $202,400 fine and clean up its act.
The city has struck that agreement with the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), which announced the deal in a press release.
The breach occurred in 2016. A fired former employee snuck back into her old office at the New Haven Health Department and downloaded computer files onto a personal thumb drive, then erased the private records of at least 587 adults and minors with sexually transmitted diseases (STDs) from a government database while an intern and a union steward watched.
The city revealed the breach the following January. Click here, here and here for stories the Independent wrote about the case at the time.
HHS’s OCR then conducted its own investigation, which found that the ex-employee also “shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated,” according to the department’s release. (The department confirmed 498 individual patients as having had records compromised, as opposed to the 587 originally cited by the city.)
The investigation faulted the then-Harp administration’s handling of the breach. The city should have, but didn’t, “conduct an enterprise-wide risk analysis” or institute needed termination procedures and data-access controls to protect patients’ privacy moving forward, the investigation concluded.
Under the settlement, the city now agrees to put in place a “robust corrective action plan.” This plan.
“Medical providers need to know who in their organization can access patient data at all times,” the release quotes OCR Director Roger Severino as saying. “When someone’s employment ends, so must their access to patient records.”
The state criminally charged the ex-employee, who received a four-year prison sentence. The city disciplined another involved worker.
Mayor Justin Elicker Monday said he welcomes the settlement. He said he’s “grateful” that the feds fined the city only a “fraction” of what it could have.
“It is regrettable that the City of New Haven failed to fully address this security breach at the time. The federal investigation and enforcement action took some time, but it is our understanding that the Health Department, headed by a Director of Health who no longer works for the City, did take steps to restrict access to its offices and to place greater emphasis on the importance of compliance with privacy laws in the aftermath of the breach,” he said in a statement released by his office.
“Going forward the City, with technical assistance from the Department of Health and Human Services, will undertake a full assessment of every location where protected health information is located, and establish an action plan to compliance with federal policy and regulations regarding the protection of this information. This assessment and implementation of recommended changes are expected to include: adoption or a citywide policy regarding protection of personal health information which is currently pending before the policy committee, engaging HIPAA expert to work with IT to complete a risk assessment, centralize the location of protected health information, implement a plan to minimize risk of another breach, implement periodic training of City employees to emphasize HIPAA compliance, and establish periodic system testing for protection of health information.”
