The Texas Health and Human Services Commission (TX HHSC) was assessed a $1.6 million civil money penalty by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violations between 2013 and 2017.
TX HHSC operates state-supported living centers, mental health and substance use services, child care and nursing facilities, and hundreds of assistance programs, including supplemental nutrition benefits and Medicaid.
In September 2017, The Department of Aging and Disability Services (DADS) that handles long-term care services for the aging and those with intellectual and physical disabilities was also integrated into TX HHSC.
DADS reported a data breach to OCR on June 11, 2015, concerning the electronic protected health information (ePHI) of 6,617 people that was viewable to anyone on the internet. The ePHI included names, addresses, social security numbers, and treatment information.
A software code flaw enabled access to ePHI without access credentials when an internal application was moved from a private, secure server to a public server.
In addition to the unwarranted disclosure, OCR’s investigation found that DADS failed to:
DADs could not determine how many unauthorized people had accessed the ePHI on the internet because of their inadequate audit controls.
Roger Severino, OCR Director issued a severe statement that said "Covered entities need to know who can access protected health information in their custody at all times. No one should have to worry about their private health information being discoverable through a Google search."
TX HHSC did not contest the findings against them by OCR and waived the right to request a hearing and petition for judicial review. The organization has agreed to pay the $1.6 million penalty that was ordered in the Notice of Final Determination delivered on October 25, 2019.