Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

1 min read

Texas Health and Human Services pays $1.6M fine for HIPAA violations

Texas Health and Human Services pays $1.6M fine for HIPAA violations

The Texas Health and Human Services Commission (TX HHSC) was assessed a $1.6 million civil money penalty by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violations between 2013 and 2017.

TX HHSC operates state-supported living centers, mental health and substance use services, child care and nursing facilities, and hundreds of assistance programs, including supplemental nutrition benefits and Medicaid. 

In September 2017, The Department of Aging and Disability Services (DADS) that handles long-term care services for the aging and those with intellectual and physical disabilities was also integrated into TX HHSC. 

 

ePHI released over the internet

 

DADS reported a data breach to OCR on June 11, 2015, concerning the electronic protected health information (ePHI) of 6,617 people that was viewable to anyone on the internet. The ePHI included names, addresses, social security numbers, and treatment information. 

A software code flaw enabled access to ePHI without access credentials when an internal application was moved from a private, secure server to a public server.    

 

OCR’s investigation of the breach

 

In addition to the unwarranted disclosure, OCR’s investigation found that DADS failed to: 

 

  • Conduct an enterprise-wide risk analysis
  • Implement access and audit controls on its information systems and applications

 

DADs could not determine how many unauthorized people had accessed the ePHI on the internet because of their inadequate audit controls. 

 

Conclusion

 

Roger Severino, OCR Director issued a severe statement that said "Covered entities need to know who can access protected health information in their custody at all times. No one should have to worry about their private health information being discoverable through a Google search."

TX HHSC did not contest the findings against them by OCR and waived the right to request a hearing and petition for judicial review. The organization has agreed to pay the $1.6 million penalty that was ordered in the Notice of Final Determination delivered on October 25, 2019.   

 

Try Paubox Email Suite for FREE today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.