The Texas Health and Human Services Commission (TX HHSC) has been hit with a $1.6 million civil money penalty by the Office for Civil Rights (OCR) for allowing some patient data to be viewable over the Internet.
TX HHSC is part of the Texas HHS system, and has a wide range of responsibilities, including operating state supported living centers, providing mental health and substance use services, regulating child care and nursing facilities; and administering hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid.
The Department of Aging and Disability Services (DADS), a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities, was reorganized into TX HHSC in September 2017.
According to a recent OCR press release, DADS filed a breach report with the department stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information.
The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials, according to officials.
OCR's investigation determined that, in addition to the impermissible disclosure, “DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals' ePHI.”
OCR Director Roger Severino said in a statement, “Covered entities need to know who can access protected health information in their custody at all times. No one should have to worry about their private health information being discoverable through a Google search."