US City Fined Over Former Employee’s Data Theft
Posted November 2, 2020
- New Haven, Connecticut, agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights and adopt a corrective action plan that includes two years of monitoring to resolve a HIPAA (Health Insurance Portability and Accountability Act) violation case.
- The OCR launched an investigation in May 2017 after receiving a data breach notification from New Haven in January of that year. OCR found that the city’s health department had failed to remove the access rights of an employee who had been fired the previous summer during her probationary period.
- The OCR stated: “Using her work key, the former employee entered her old office and locked herself and the union representative inside. While inside the office, the former employee logged into her old computer, with her user name and password, and downloaded information off of her computer onto a USB drive.”
- OCR investigators found that New Haven failed to conduct an enterprise-wide risk analysis and failed to implement termination procedures and access controls such as unique user identification.
– Sarah Coble | November 2, 2020