A city in the United States has been fined over $200k for failing to terminate the entry legal rights of a former employee who stole guarded overall health information.
New Haven, Connecticut, agreed to pay a $202,400 fiscal penalty to the Office of Wellbeing and Human Services’ Office for Civil Legal rights and adopt a corrective action plan that consists of two several years of checking to resolve a HIPAA (Overall health Insurance plan Portability and Accountability Act) violation scenario.
The OCR introduced an investigation in May perhaps 2017 after getting a info breach notification from New Haven in January of that calendar year. OCR discovered that the city’s wellbeing section experienced unsuccessful to remove the accessibility legal rights of an staff who had been fired the former summer through her probationary period of time.
After getting terminated by the overall health division on July 27, 2016, the previous personnel remaining work only to return with a union representative 8 days afterwards.
The OCR stated: “Working with her do the job essential, the former employee entered her outdated business and locked herself and the union agent within. Although inside of the office, the former worker logged into her aged laptop or computer, with her consumer identify and password, and downloaded information off of her laptop or computer onto a USB drive.”
A pupil intern witnessed the former employee accumulating boxes that contains individual goods and paper documents just before leaving the developing with the union representative.
A file made up of the protected wellbeing information of almost 500 clients was among the info stolen by the personnel. Details uncovered in the security incident integrated the effects of tests for sexually transmitted ailments along with patients’ names, addresses, dates of delivery, gender, and race/ethnicity.
The fired personnel experienced shared her login qualifications with an intern, who used them to entry PHI on the network. The intern ongoing to entry the info just after the worker had been terminated.
OCR investigators uncovered that New Haven failed to perform an organization-huge risk investigation and unsuccessful to implement termination treatments and access controls these as exceptional consumer identification.
“Medical companies require to know who in their group can entry individual data at all situations. When someone’s employment ends, so have to their access to individual documents,” reported OCR Director Roger Severino.
Some parts of this article are sourced from:
www.infosecurity-journal.com