Community Health Center Investigated for 130K-Patient HIPAA Breach

A former IT Director of Community Health Center, Connecticut has alleged that the healthcare provider failed to address a number of security vulnerabilities and believes his employment was terminated as a result of highlighting those problems to the upper management.

Furthermore, when he was sent his personal belongings the package he received is alleged to have contained a computer hard drive on which there were approximately 130,000 medical records of current and former patients of the Middletown clinic. The hard drive has been provided to the state and the Attorney General’s Office is conducting an investigation into the matter.

Community Health Center operates 13 clinics in the Middletown area including medical and dental centers, behavioral health clinics and specialized care services for HIV/AIDS patients.

Ali Eslami was employed by CHC as its IT Director and had held the position for 14 years. He claims to have spoken to the top management about the poor state of the IT security and provided information on a potential hacking incident; one that could have exposed the credit card information of its patients to unauthorized individuals.

According to CHC, the hard drive that Eslami had in his possession was not sent to him with his personal belongings as it is alleged. CDC claims to have thoroughly checked all items that were sent to Eslami subsequent to the termination of his employment and that senior members of management had checked the items that were sent. They attest that only personal items were included.

CHC alleges that Eslami “threatened to intentionally disclose protected health information of CHC clients that he allegedly possesses” and that CDC had taken those threats seriously and reported them to the appropriate authorities.

The potential hacking incident which Eslami alleges occurred was in part based on an investigation he had conducted in which he identified clinic databases that contained credit card information when the data was not used for any financial transactions. The system was devised to be free of this information, yet he discovered credit card information was present in the database and he suspected that it could have been used for fraudulent purposes and that CDC “lacked resources for information security.”

CDC maintains that after it terminated Eslami’s contract he refused to provide them with critical passwords and access codes, including codes that encrypted the laptop CDC had issued him. Eslami claims that this was not the case and he had been unable to log on to the systems due to his employment being terminated while he was enforced mental health leave.

The hard drive has now been provided to CDC by the AG’s office to allow it to conduct its own investigation. CDC has employed a forensic data company to determine the origin of the hard drive contents and while the investigation is ongoing, CDC has confirmed that the hard drive was not issued to Eslami after his employment had been terminated.

The same security firm also confirmed that there was “no evidence of breach or loss of data” and CDC maintains that at no point has its patient database been compromised. The AG investigation and the lawsuit are both ongoing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.