In Monroeville, have politics and personal allegiances trumped data privacy and security?
A PHIprivacy.net editorial.
As regular readers know, PHIprivacy.net and PogoWasRight.org have been covering breach accusations involving the emergency medical dispatch (EMD) and police criminal history databases in Monroeville, Pennsylvania. The town’s investigation into the allegations, an independent forensic evaluation of the security controls in use for the systems, and a subsequent state attorney general’s investigation all confirmed multiple issues of concern in Monroeville:
- Information from Monroeville’s EMD system was being sent by e-mail/SMS alerts to individuals who were not active responders and hence, should not have had access to the information. In at least one case, a page sent to a non-responder was then forwarded to a civilian who was also not an emergency responder. Take a look at the information involved in the page, which has been redacted to remove the address of the aided, and ask yourself if you would like such information about you or a family member shared with those who have need to know because your chief of police refused to allow the assistant chief of police to restore necessary and appropriate security settings that had been willfully subverted by some members of the department.
If the Monroeville 911 Center is covered by HIPAA (and that remains to be determined by HHS), sending information to those who have no need to know because they are not responders would likely constitute a violation of the Privacy Rule and could result in monetary penalties for Monroeville. Yet when informed of the concerns by then-Asst. Chief of Police Pascarella, then-Chief of Police Doug Cole did not take prompt and appropriate action until after Pascarella filed a HIPAA complaint with HHS in August 2012.
- Information from Monroeville’s EMD system was accessible to, and accessed by, members of fire stations (fire companies) who were not being dispatched on an EMS call. The access occurred via the willful and intentional subversion of the default security configuration in the software that would have limited access and information to only those who would be assigned to/responding to a call. Monroeville was sold a HIPAA-compliant system but subverted it for over two years while the Chief of Police reportedly resisted efforts to restore the system’s security and privacy controls.
If the Monroeville 911 Center is covered by HIPAA (and that remains to be seen), access by those not involved in the response to the aided would likely constitute a violation of the Privacy Rule and could result in monetary penalties. Yet when Pascarella and at least one other person reportedly raised the concern with Chief Cole on numerous occasions, he refused to authorize the necessary controls, saying that the firefighters had no malicious intent and just wanted to know what was going on in case they needed to respond.
- Dispatch information was also accessed by members of the public after the now-generic login and access controls were intentionally shared with some individuals who were not members of the fire department. Such inappropriate access went on for over a year. Two dispatchers were subsequently terminated for sharing the logins with others.
If the Monroeville 911 Center is covered by HIPAA (and that remains to be seen), willful disclosure of login credentials would constitute a violation of the Security Rule and could result in monetary penalties – particularly if HHS determines that when notified of the problem by at least two members of the department, Chief Cole took no action to secure the system and prevent further inappropriate access.
- Members of Monroeville’s volunteer fire department as well as some members of the public were able to access police databases (CAD) that they should not have been able to access, exposing sensitive criminal history data that is protected under state law. On at least one occasion, members of the fire department discussed a rape case and were able to access the police dispatcher’s comments on the emergency call.
- Someone deleted traffic violation information on the man whose EMD dispatch information had been disclosed improperly to others.
HHS is investigating the EMD aspects following a complaint filed by then-Assistant Chief Pascarella in August 2012. Their investigation appears to be still open.
PHIprivacy.net was able to obtain a copy of the town’s confidential investigative report. Because redacting it proved to be challenging on a number of levels, only the interviews with Pascarella and Cole are being uploaded here. What the town’s and state’s investigations revealed can be summarized this way, however:
1. The town purchased and deployed new software in August 2010. The default and recommended security settings would have – and did – restrict access to EMD dispatch information to the fire station responsible for responding.
2. Some members of the fire department did not like that system. They wanted all fire stations to be able to receive all EMS dispatches, as they had been able to do under the previous system. The Chief of Police, himself a firefighter and past-president of Fire Company 4, resisted all efforts by Pascarella to restore proper security settings, allegedly telling Pascarella that firefighters were not acting maliciously in trying to view all calls and that it would be too burdensome to insist on individual user login credentials – even though the police department uses individual login credentials and such controls are absolutely necessary to enable auditing and access control.
Additionally, changes to the configuration resulted in members of the fire department being able to access police files that they never should have been able to access. Both Pascarella and others reported that they repeatedly tried to remedy the situation but Chief Cole would neither authorize the proper response nor take effective steps himself to protect the police databases. In their own investigation, the state’s attorney general confirmed the violation of state law and the municipal handbook, and cautioned Monroeville that any further instances of noncompliance could result in civil and criminal sanctions.
When asked by the town’s investigator about all the conversations Pascarella had reportedly had with him about security concerns, Cole, accompanied by his attorney, repeatedly denied recollection of any of the numerous conversations reported by Pascarella. Testimony by Kenneth Kuzins, however, confirmed Pascarella’s version of events and noted how he, too, had tried on numerous occasions to get the Chief to comply with security and privacy standards, only to encounter resistance and outright refusal. Readers can compare the interviews of Pascarella and Cole by the town’s investigator and draw their own conclusions about credibility.
Chief Cole was subsequently demoted and fired by the town manager after the HHS complaint was disclosed. Asst. Chief Pascarella was promoted. Not surprisingly, perhaps, Chief Cole fought his termination on contractual grounds, and a court-ordered arbitrator recently ruled that the town violated his contract.
The whole case seems to have become a political mess in Monroeville, with some people suggesting that Pascarella should be disciplined for filing a complaint with HHS, and that Cole should be reinstated as Chief of Police. Disciplining Pascarella would be a short-sighted view for a member of the public and an irresponsible one for a member of the town council. Pascarella was obligated to ensure that EMD and police databases were properly secured and protected. When going to his supervisor failed to produce the necessary changes, he did what PHIprivacy.net hopes others would have the courage and integrity to do: he blew the whistle. As a result of his actions, and after more than two years of inadequate security and privacy protections, the residents of Monroeville have greater assurance that their medical privacy will be protected and that any information on them in police databases will also be better protected from snooping eyes. Those condemning Steven Pascarella should have been throwing him a parade as an exemplary public servant. Instead, he has reported being harassed because of his ethical conduct. Sadly, it now appears he has resigned his position as Chief due to the stress he has endured as a result of trying to do the right thing.
If HHS determines that Monroeville is covered by HIPAA, they will be looking for a corrective action plan and some assurances that these breaches will not happen again. Restoring Chief Cole as chief of police will likely not inspire the necessary confidence in any plan unless he agrees to undergo training in HIPAA and mandates training for all employees and firefighters who will have access to databases and personal information. In the alternative, he should not have final say on data privacy and security and Lt. Pascarella should have the final say in that area, as he was correct all the way down the line.
Will HHS/OCR fine Monroeville if they determine that the 911 center is a covered entity under HIPAA? They might if they want to make a point and put all HIPAA-covered EMDs on notice. Given the flagrant violations contained in the investigative reports, they may well choose to impose a fine. If they do, PHIprivacy.net hopes that the people of Monroeville realize that the fine is not the fault of Lt. Pascarella, but of those who did not heed his and others’ urging to address the privacy and security concerns.
In the meantime, PHIprivacy.net wishes Steven Pascarella well. He did the right thing, and it’s a shame that some in his community do not recognize what a valuable public servant they have in him.