Covered entities are responsible
The Council of Community Clinics (CCC) in San Diego ought to ponder that difference as it deals with the aftermath of its recent breach. Jon Paul Oson, a former network administrator with privileged access, quit his job after a disagreeable performance evaluation. He then allegedly gained access to the CCC systems two month later, disabled the backup systems and then systematically destroyed patient data. For this, Olsen faces an indictment (download PDF), a fine of up to $500,000 and a career reduced to a pile of ash. [Just the career? Not if the affected patients get hold of him, I'd bet. -- Ed.]
Oson's the bad guy, obviously, but CCC is not out of the woods. An astute Computerworld reader asked, "Where is the line about the company he hacked being fined for HIPAA violations?" and noted that "if they were doing everything they were supposed to be doing, he [w]ould not have been able to get access ... after being terminated" and that they would have been "monitoring their logs and caught the fact that the backup wasn't working correctly."
How in the world can an adminsitrator leave the building after termination and still be able to access systems? This is beyond stupid, it is transcendently irresponsible.