US City Fined Over Former Employee's Data Theft
upstart writes in with an IRC submission:
US City Fined Over Former Employee's Data Theft:
A city in the United States has been fined over $200k for failing to terminate the access rights of a former employee who stole protected health information.
New Haven, Connecticut, agreed to pay a $202,400 financial penalty to the Department of Health and Human Services' Office for Civil Rights and adopt a corrective action plan that includes two years of monitoring to resolve a HIPAA (Health Insurance Portability and Accountability Act) violation case.
The OCR launched an investigation in May 2017 after receiving a data breach notification from New Haven in January of that year. OCR found that the city's health department had failed to remove the access rights of an employee who had been fired the previous summer during her probationary period.
[...] OCR investigators found that New Haven failed to conduct an enterprise-wide risk analysis and failed to implement termination procedures and access controls such as unique user identification.
"Medical providers need to know who in their organization can access patient data at all times. When someone's employment ends, so must their access to patient records," said OCR Director Roger Severino.
Read more of this story at SoylentNews.