Forgetting to pull the plug on the access credentials of an employee who had been terminated is going to cost the city of New Haven, Conn., $202,400, after it was fined by the Department of Health & Human Services’ Office of Civil Rights for allowing a data breach that compromised the protected health information of 500 city residents.
Eight days after she was terminated, the employee returned to the office with a union representative, locked herself in her office, and was able to access her computer using her still-active user name and password, and downloaded the protected health information of 498 residents onto a USB drive. The information that was downloaded included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. The employee also walked out of the building with boxes of personal items and paper documents. Making matters worse for the health department was the fact that the employee shared her credentials with an intern, who continued to use them after the employee was terminated.
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said Roger Severino, director of Office of Civil Rights, in a statement.
Along with paying the fine, the city also agreed to a corrective action plan that will see it conduct a comprehensive risk analysis to evaluate all of its risks to electronic protected health information and update its policies and procedures to comply with federal standards, especially as it pertains to terminating access to protected health information when an employee stops working for the city.