Health Data Breach Repercussions Grow

One ex-city employee faces new felony charges — and another city employee has been fired — in the latest fallout from a data breach that compromised the personal information of over 500 New Haveners with sexually transmitted diseases.

Meanwhile, federal and state agencies are investigating the city’s handling of the matter, which a local union leader blasted and about which newly released documents raise questions.

The state has added felony third-degree burglary and larceny charges in the case against 36-year-old former city health department epidemiologist Tamika Rose Jackson. Jackson is accused in an arrest warrant affidavit of sneaking back into her old office last July 28, downloading computer files onto a personal thumb drive, then erasing the private records of at least 587 adults and minors with sexually transmitted diseases (STDs) from a government database while an intern and a union steward watched.

Jackson previously faced only misdemeanor charges in the case. The state added the felony charges during a court appearance last Thursday. Assistant State’s Attorney Mike Denison, who is prosecuting the case, said the decision is based not on any new facts, but rather on the information contained in the original arrest warrant affidavit prepared by Rob Clark, a New Haven police detective.

Jackson has not yet entered a plea. She told the Independent she declines comment on the charges. In two interviews with police, she acknowledged accessing her old computer, but described her intentions as benign. (Read about that here.)

Last week Jackson told a judge she wanted to represent herself in the case; the judge prevailed on her to accept representation by a public defender, Abra Rice. Rice said Monday that she’s not yet ready to respond to the substance of the charges. ​“I think Attorney Denison will treat her fairly,” Rice said.

Bush Whacked

Meanwhile, the Harp administration has fired the union steward who accompanied Jackson on her mission last July 28, public works department Deputy Director Alan Bush.

According to Tamika Jackson’s arrest warrant affidavit, an AFSCME Local 3144 vice-president instructed Bush to accompany Jackson to health department headquarters on Meadow Street, where Jackson had been barred from reentering her old office. Bush then accompanied Jackson to her office and stood there while, with the door locked, Jackson erased private data about local people on a Centers for Disease Control-created STD database, copied files onto a thumb drive, and kept quiet while someone tried to open the door. Bush then helped Jackson carry boxes of items out to her car according to the affidavit. The document states that the last scene was captured on a security video.

Bush’s actions were the subject of a recent heated disciplinary hearing where police were called after city Chief Administrative Officer Mike Carter thrice told a union official, ​“Let’s take this outside.”

Mayor Toni Harp said in a Monday interview that Bush was fired for ​“assisting someone in breaking the rules.”

“He helped her enter the building. He made it look like she had authority to enter,” Harp said. ​“Why was he helping someone who had no reason to be in the building at all? Why would you let someone convince you to [help someone] break the law who’s not even a member of your union?” (Tamika Jackson was not a member of AFSCME Local 3144 because she was let go before completing her 30-day probationary period. )

Local 3144 President Cherlyn Poindexter said the union plans to contest the firing.

She noted that a health department intern was in the office that Jackson entered and stayed there during the commission of the alleged crime.

“There was a bigger crime here. Why wasn’t the intern arrested?” Poindexter asked. She said the security guard who allowed Jackson into the building committed a bigger offense that Bush allegedly committed, too. (Harp said she doesn’t know if the security guard has been let go.)

Poindexter argued the city administration is at fault for not having canceled Jackson’s computer account after firing her, and for allowing the intern to have access to Jackson’s account and computer. (The intern was assigned to work with Jackson on the STD database.)

Poindexter also claimed that Bush did not ​“accompany” Jackson on her mission. She claimed that he was in the building to help other people who were union members. Told that the police reports state the video footage captured the pair together, and that the reports quote Bush acknowledging being in the room with Jackson during her time on the computer, Poindexter said she doesn’t necessarily trust what appears in a police report.

“Tell me what rule or what policy [Bush] broke,” Poindexter said. Then she posed a hypothetical as an analogy: ​“If me and you went into a store together, you decide to steal something. I’m in another aisle paying no mind. I didn’t know you stole anything. I’m going to get in trouble?”

New Haven’s health department until recently fell under the auspices of the city government’s Community Services Administration. That department now falls directly under the direction of the mayor. An independent board also oversees the health department’s work. City health director Byron Kennedy has repeatedly declined to speak publicly about his department’s handling of the database breach, referring questions to mayoral spokesman Laurence Grotheer.

And there remain questions. The feds, among others, are seeking answers.

Why The Delay?

The Office of Civil Rights of the federal Department of Health and Human Services (HHS) is conducting an investigation into the data breach, according to spokesperson Rachel Seeger. She declined to comment on the investigation because it is ​“ongoing.”

According to federal guidelines, a city has 60 days to report ​“a breach of unsecured protected health information” to the HHS secretary. The city must also contact by letter or email all the people whose information got erased and copied. If the city locate addresses for at least 10 of them, it must post information on its website.

The city did send letters to the victims of the breach — on Jan. 20. Almost six months after it occurred. (Read about that here.)

According to documents released in response to a request by the Independent under the Connecticut Freedom of Information Act, the city didn’t file a notice with the feds until Jan. 24, according to a memo by Lynne Nicolari, Director Kennedy’s executive administrative assistant. She sent a similar notice on Jan. 27 to the state attorney general’s office, which also is required to receive the information.

That was almost a full six months after the breach. According to Detective Clark’s arrest warrant affidavit, Director Kennedy contacted police on July 29 to report the allegations that Jackson had broken into the office, erased files, and downloaded files onto a thumb drive. Kennedy told police that day that Jackson had allegedly ​“taken files off her old work computer as well as documents” including ​“personal HIPAA related information pertaining to citizens with gonorrhea in the city as well as subjects with high blood lead levels.”

The breach report filed in Kennedy’s name to HHS offers a different date: ​“On 23 November 2016, the New Haven Health Department (NHHD) … was informed that the New Haven Police Department (NHPD), as part of an ongoing investigation, had determined that a file may have been accessed on a NHHD computer …”

It further states that the health department has since ​“clarified for its employees who handle confidential information the policies and procedures that prohibit the storage of such data on local drives which have fewer safeguards to protect confidentiality (e.g. encryption, passwords, and locks).”

Since the breach, according to the notice, the department has:

“• Adopted encryption technologies
“• Changed password/strengthened password requirements
“• Implemented new technical safeguards
“• Improved physical security
“• Provided business associate with additional training on HIPAA requirements
“• Revised policies and procedures
“• Trained or retrained workforce members.”

Asked about the six-month delay, mayoral spokesman Grotheer said the city didn’t have solid information about the breach at first back in July, just a ​“first report of something was amiss.”

“It wasn’t until late November that the police department got back to the health department and said it was a data breach,” Grotheer said. ​“All along it was suspected. But it wasn’t confirmed by the police department until late November.” The letter went out the required 60 days after that, he said.

What About The Media?

If a breach involves at least 500 victims, according to HHS guidelines, the city must also within 60 days ​“provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.”

The city never issued such a release.

The only media mention of a data breach, before this April 10 story appeared in the Independent following Jackson’s arrest, was this Aug. 10, 2016 Independent story briefly mentioning a ​“possible data breach.” It didn’t include details about what kind of information.

According to the documents released to the Independent, Kennedy apparently concluded that that was enough to satisfy the media-reporting requirement.

In a Jan. 12 memo to Kennedy, Deputy Corporation Counsel Gabrielle Phoenix wrote that the city’s human resources director, Steve Librandi, ​“said he thinks he confirmed for a reporter that the City was investigating a possible or a potential breach of confidential information. Just letting you know since I think you mentioned that you believe Steve’s actions satisfied a requirement for public notice.”

Whether that interpretation is correct may be moot — because the city is now claiming that the breach affected 498 people, not the 587 figured cited in the police reports. The threshold for requiring the media notice is 500 victims.

Spokesman Grotheer said the number shrank from 587 to 498 because the database included ​“duplications. If the name was associated with an STD — and then the same name was associated with another STD — they were sent just one letter.” Some people had originally been double counted, he said.

The state attorney general’s office is reviewing the handling of the breach, according to spokesperson Jaclyn M. Falkowski.

“It has been assigned to an attorney and is currently under review. As this review is pending, we are unable to comment in detail about the breach or our review,” Falkowski stated in an email message.

“Speaking generally, however, our office typically defers to criminal investigations in data breach cases, as our jurisdiction is civil. Also, while a threshold of 500 is material for certain federal reporting purposes, there is no threshold number for reporting under Connecticut state law; as to any basis for reporting a specific number, that question would be better directed to the City of New Haven.”

Grotheer defended the Harp administration’s handling of the data breach.

“There were three city departments engaged in this to make sure the city did what was required of it without causing undue alarm making people think it was something more,” Grotheer said.

No motive has emerged for Jackson’s alleged crime. And while the police state definitively that Jackson accessed and erased the files of the 587 (or 498) patients, they did not conclude either way whether those were the same files she downloaded onto her thumb drive that day. The intern present suggested they were; Jackson said they weren’t.