A Texas health agency must pay nearly $2 million for exposing the electronic patient data—such as names, treatment information, and social security numbers—of roughly 7,000 people, the HHS said Nov. 7.
The Department of Health and Human Services Office for Civil Rights found that the Texas Department of Aging and Disability Services—now part of Texas Health and Human Services–-neglected to conduct an agency-wide risk analysis and use tools to report these types of breaches on its information systems and applications under the Health Insurance Portability and Accountability Act.
The state health agency filed a breach notification in 2015 when an internal application was moved from a private and secure server to a public server, the agency said.
“Texas HHS takes information security and privacy seriously for all the people we serve. We are continually examining ways to strengthen our processes for the health and safety of Texans,” the state said in an emailed statement.
A flaw in the software code allowed access to the otherwise secure electronic data without access credentials, which is a violation of the privacy and security rules under HIPAA.
These poor audit controls stopped the Texas agency from knowing how many people without the proper license accessed the patients’ protected data.
“Covered entities need to know who can access protected health information in their custody at all times,” OCR Director Roger Severino said. “No one should have to worry about their private health information being discoverable through a Google search.”