HIPAA Horror Stories

Fired Employee Returns to Steal PHI

one-minute read

An employee who is fired can steal data and ruin your reputation long after they leave if their computer access is not terminated right away. A HIPAA Risk Analysis can help prevent this costly mistake.

Municipal Departments are Not Immune to HIPAA Enforcement

The City of New Haven Health Department in Connecticut paid the Office for Civil Rights (OCR) which enforces HIPAA, $202,400 to settle an investigation into HIPAA violations after the data breach was discovered.

A former employee of the City of New Haven Health Department returned to the department eight days after being let go, logged into her old computer with her still-active user name and password, and downloaded onto a thumb drive protected health information (PHI) that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. In its investigation the Office for Civil Rights (OCR) also found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated. At least 498 patient files may have been accessed.

HIPAA Risk Analysis Missing

Among the problems OCR found were that the City of New Haven Health Department failed:

OCR Director Roger Severino commented on the New Haven settlement,

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”

In addition to the monetary settlement, the City of New Haven Health Department agreed to a two-year Corrective Action Plan.

HIPAA Privacy and Security Rules Both Matter

Although the City of New Haven was called out for failing to have HIPAA Privacy Rule policies and procedures, they also clearly did not have adequate policies for the Security Rule. Employee access to electronic records, and appropriate password and login procedures come from the Security Rule.

A Thorough Risk Analysis Uncovers Gaps

A complete HIPAA Risk Analysis will reveal weaknesses like those at the City of New Haven Health Department. The security rule checklist in The HIPAA E-Tool® Risk Analysis section ensures that user access rules are in place, user identification is strict, and password protection is strong, among other procedures.

All the required policies for the Privacy, Security and Breach Notification Rules are included, with step-by-step guidance on how to complete a full HIPAA Risk Analysis.

Don’t be surprised by a fired employee returning to steal patient data. You can prevent this mistake with good plans and strong compliance.

Photo by Soumil Kamar from Pexels

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free