Community Health Center Probed for 130K-Patient HIPAA Violation

A past IT Director of Community Health Center, Connecticut has charged that the healthcare provider did not tackle many security weaknesses and believes his employment was ended as a consequence of highlighting those problems to the higher management.

Additionally, when he was sent his own stuff the bundle he received is suspected to have included a computer hard drive on which there were roughly 130,000 medical files of existing and past patients of the Middletown clinic. The hard drive has been delivered to the state and the Attorney General’s Office is carrying out an inquiry into the matter.

Community Health Center manages 13 clinics in the Middletown area which include medical as well as dental centers, behavioral health hospitals and specific care services for HIV/AIDS patients.

Ali Eslami was hired by CHC as its IT Director and had maintained the position for 14 years. He declares to have told the top administration concerning the bad state of the IT safety and provided information on a possible hacking case; one that might have revealed the credit card information of its patients to unapproved people.

As per CHC, the hard drive which Eslami had in his custody wasn’t sent to him with his own stuff as it is suspected. CDC claims to have carefully checked all stuff that was dispatched to Eslami following the expiry of his service and that senior members of the administration had examined the items that were delivered. They confirm that just private stuff was included.

CHC charges that Eslami “threatened to deliberately reveal protected health information of CHC customers that he allegedly owns” and that CDC had taken those dangers earnestly and reported them to the correct authorities.

The possible hacking occurrence which Eslami contends happened was in part based on an inquiry he had carried out in which he pinpointed clinic databases that had credit card information when the data wasn’t used for any fiscal dealings. The system was developed to be free of this information, nevertheless, he found credit card information was present within the database and he doubted that it might have been used for fake intentions and that CDC “needed resources for information safety.”

CDC asserts that after it ended Eslami’s agreement he declined to provide them with vital passwords as well as access codes, including codes which encrypted the laptop CDC had delivered him. Eslami asserts that this wasn’t the case and he had not been able to log in to the systems because of his service being ended while he was compelled mental health leave.

The hard drive has now been delivered to CDC by the AG’s office to let it carry out its own inquiry. CDC has hired a forensic data company to decide the source of the hard drive substances and while the inquiry is continuing, CDC has verified that the hard drive wasn’t delivered to Eslami after his service had been ended.

The same security company also established that there was “no proof of loss or breach of data” and CDC claims that at no stage has its patient database been undermined. The AG inquiry and the litigation are both continuing.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.