WANAN YOSSINGKUM/istock via Gett

New Haven Pays OCR $202K for PHI Breach of 498 Patients, HIPAA Failure

OCR settled with New Haven, Connecticut following the breach of 498 patients in 2017, caused by failing to implement employee termination procedures, a potential HIPAA violation.

The Office for Civil Rights reached a settlement with the city of New Haven, Connecticut, including a $202,400 civil monetary penalty and a corrective action plan, following a breach to the protected health information of just 498 patients caused by a 2017 HIPAA violation. 

After a relative calm in enforcement announcements during the COVID-19 crisis, OCR has settled with 11 providers to resolve HIPAA violations in September and October alone, including AetnaPremera Blue Cross, Dignity Health, Athens Orthopedic Clinic, and New York Spine Medicine, among others

The city of New Haven settlement stems from a security incident reported to OCR by its Health Department, which operates a public health clinic that provides, among other services, preventative medical care for both adults and children. 

OCR received a breach report from the health department in January 2017, where a former employee accessed a file stored on a city computer that contained the protected health information of 498 individuals. 

Eight days after the employee was fired in July 2016, she returned to the health department and logged into her old computer with her credentials – as the health department had not rendered them inactive after her termination. 

“Using her work key, the former employee entered her old office and locked herself and the union representative inside,” according to the resolution agreement. “While inside the office, the former employee logged into her old computer, with her user name and password and downloaded information off of her computer onto a USB drive.” 

“The former employee removed boxes containing personal items and paper documents,” it added. “This was witnessed by a student intern who was present at the time. The former employee and the union representative then both exited the building.” 

The downloaded PHI included names, contact information, dates of birth, demographic details, and sexually transmitted disease test results onto a USB drive. The employee also shared her credentials with an intern, who continued to access PHI on the city’s network – long after the employee was terminated. 

The OCR investigation revealed several potential HIPAA violations, which included failing to conduct an enterprise-wide risk analysis, termination procedures, access controls, and other privacy policies and procedures. 

“Medical providers need to know who in their organization can access patient data at all times,” said OCR Director Roger Severino, in a statement. “When someone’s employment ends, so must their access to patient records.” 

Along with the civil monetary penalty, the city of New Haven agreed to enter into a corrective action plan with the Department of Health and Human Services, which includes two years of monitoring. 

Under the CAP, the city is required to develop a complete inventory of all facilities, electronic equipment, data systems, and applications that store or contain ePHI, before conducting a thorough risk analysis of all potential vulnerabilities and risks to the confidentiality, integrity, and availability of electronic PHI held by the New Haven Health Department. 

The assessment must include ePHI from all clinics and anywhere throughout the city’s departments that contain ePHI, evaluating ePHI risks on all electronic equipment, data systems, and applications administered or owned by the health department and that store, transmit, or receive ePHI.

The city must then develop an enterprise-wide risk management plan to address and mitigate any risks or security gaps revealed by the risk analysis, including a process and timeline for the implementation, evaluation, and revision of its risk remediation activities. 

Further, New Haven must review and revise its written policies and procedures to comply with HIPAA for governing the privacy of individually identifiable health information, along with the standards for breach notifications and policies and procedures regarding the termination of ePHI access when an employee ends its relationship with the city. 

The city is also required to review and revise policies and procedures for assigning unique names and or numbers for identifying and tracking user identity. All new policies and procedures must be provided to workforce members who otherwise interact with ePHI, for which the city must also provide training. 

In light of the heightened threat landscape, healthcare covered entities should review these requirements to ensure they also have bolstered the privacy and security of their protected health data.

Next Steps

Dig Deeper on HIPAA compliance and regulation