Texas Health and Human Services pays $1.6M fine for HIPAA violations

Texas Health and Human Services pays $1.6M fine for HIPAA violations

The Texas Health and Human Services Commission (TX HHSC) was assessed a $1.6 million civil money penalty by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violations between 2013 and 2017.

TX HHSC operates state-supported living centers, mental health and substance use services, child care and nursing facilities, and hundreds of assistance programs, including supplemental nutrition benefits and Medicaid. 

In September 2017, The Department of Aging and Disability Services (DADS) that handles long-term care services for the aging and those with intellectual and physical disabilities was also integrated into TX HHSC. 

ePHI released over the internet

DADS reported a data breach to OCR on June 11, 2015, concerning the electronic protected health information (ePHI) of 6,617 people that was viewable to anyone on the internet. The ePHI included names, addresses, social security numbers, and treatment information. 

A software code flaw enabled access to ePHI without access credentials when an internal application was moved from a private, secure server to a public server.    

OCR’s investigation of the breach

In addition to the unwarranted disclosure, OCR’s investigation found that DADS failed to: 

  • Conduct an enterprise-wide risk analysis
  • Implement access and audit controls on its information systems and applications

DADs could not determine how many unauthorized people had accessed the ePHI on the internet because of their inadequate audit controls. 

Conclusion

Roger Severino, OCR Director issued a severe statement that said “Covered entities need to know who can access protected health information in their custody at all times. No one should have to worry about their private health information being discoverable through a Google search.”

TX HHSC did not contest the findings against them by OCR and waived the right to request a hearing and petition for judicial review. The organization has agreed to pay the $1.6 million penalty that was ordered in the Notice of Final Determination delivered on October 25, 2019.   

Try Paubox Email Suite for FREE today.

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport