Dear Patient

Lucy Gellman Photo

Health chief Kennedy: Unanswered questions on data breach.

New Haven’s health director wrote to hundreds of people with sexually transmitted diseases to convey unsettling news: Their personal data had been hacked.

[A] former employee may have accessed patient demographic information in a file at the Health Department,” city Health Director Byron Kennedy wrote. The information included your name, address, date of birth, race/ethnicity, gender and sexually transmitted disease test reports but did not include other health information, social security number or billing data.”

Kennedy wrote the letter on Jan. 20 — more than five months after he and other city officials learned that a recently fired employee had brushed past a security guard and, in the company of a union official, snuck back into her old office and eliminated from a government database the personal records of at least 587 people with sexually transmitted diseases or lead poisoning, according to a subsequent arrest warrant. The woman also transferred files from her old computer onto a thumb drive; it’s unclear whether or not those files included the patient records. Kennedy learned about the incident and contacted police the following day. Police eventually arrested the former employee on computer crime charges.

Click here to read a previous story detailing the case.

The Harp administration Thursday released a copy of a letter it said Kennedy subsequently sent to 498 of the people whose records were tampered with. (It’s unclear why that number differs from the 587 in the arrest warrant.)

As soon as we learned that the former employee had obtained access to the Health Department offices, we notified the New Haven Police Department. To the best of our knowledge, they have not completed their investigation of the incident, but currently they do not have any indication that the information obtained had been used nefariously. We have also made internal changes to better safeguard your private information, which includes updating and re-training staff on policies pertaining to patient confidentiality, medical records, and incident reporting, and the City’s computer hardware and software policy.”

We take the role of protecting your personal information seriously and are taking steps to prevent this from happening again in the future,” Kennedy assured recipients.

Mayoral spokesman Laurence Grotheer said Thursday that the administration heard from a few” of the letter recipients in response to the letter.

Kennedy has not responded to requests and the Harp administration has not made him available for interviews — to explain, for instance, how security failed to stop the ex-employee from entering the office, or specifically what steps” have been taken since, or whether the files transferred to the ex-employee’s thumb drive included the private patient information — since the news of the arrest broke last week. The administration claims that’s because the investigation is ongoing.”

Police closed their investigation upon arresting the ex-employee on March 10. The state and the police do sometimes decline to answer questions about a pending case (and at other times do not) with the argument that it technically remains ongoing” while it wends its way through the courts.

Tags:

Sign up for our morning newsletter

Don't want to miss a single Independent article? Sign up for our daily email newsletter! Click here for more info.