Texas HHSC fined $1.6 million for HIPAA breach

The Office of Civil Rights (OCR) recently imposed a $1.6 million civil penalty against the Texas Health and Human Services Commission (TX HHSC) for a data breach that enabled unauthorized individuals to view the protected health information (PHI) of 6,617 individuals.

TX HHSC is a state agency that operates supported living centers, provides mental health and substance abuse services, regulates nursing and childcare facilities, and administers hundreds of programs, including Medicaid, for people who need assistance.

OCR launched an investigation following receipt of a breach report from the Department of Aging and Disability Services (DADS) in 2015. In its report, DADS stated that the PHI of affected individuals was viewable over the internet. Exposed information included names, addresses, Social Security numbers, and treatment information. 

OCR’s investigation determined that the breach occurred after an internal application was moved from a private, secure server to a public server. A flaw in the software of the application allowed users to access electronic PHI without any authentication.

TX HHSC didn’t contest the findings of OCR’s Notice of Proposed Determination and waived its right to a hearing.