The City of New Haven Health Department entered into a HIPAA corrective action plan with the Department of Health and Human Services for failing to properly terminate a former employee’s access to protected health information. The City of New Haven, Connecticut Health department operates a public health clinic providing preventive medical services.
In 2017, the City filed a breach report with OCR indicating that a former employee may have accessed a file containing PHI of 498 individuals. An investigation showed that a former employee returned to the City 8 days after being fired, logged into her old computer with her still-active user name and password, and downloaded PHI onto a USB drive. The investigation also uncovered that the former employee shared her user ID and password with an intern who continued to use the credentials to access PHI after the employee was terminated.
The City agreed to pay $202,400 and implement a corrective action plan. A copy of the resolution agreement and corrective action plan may be accessed by clicking here.