Texas health agency to pay $1.6M fine for HIPAA violations

The Department of Health and Human Services’ Office for Civil Rights has imposed a $1.6 million civil money penalty against the Texas Health and Human Services Commission for HIPAA violations.

The OCR enforcement action stems from HIPAA violations that occurred between 2013 and 2017 involving the Department of Aging and Disability Services (DADS), a state agency that was reorganized into the Texas Health and Human Services Commission in September 2017.

Texas Health and Human Services Commission-CROP.jpg
Texas Health and Human Services Commission

“On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, Social Security numbers and treatment information,” states an HHS announcement. “The breach occurred when an internal application was moved from a private, secure server to a public server, and a flaw in the software code allowed access to ePHI without access credentials.”

The HIPAA Security Rule requires a covered entity to implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

Specifically, the DADS security vulnerability involved a web-facing application designed for the Community Living Assistance and Support Services and Deaf Blind with Multiple Disabilities (CLASS/DBMD) program.

DADS learned about the breach from an unauthorized user who accessed ePHI in the application without being required to input user credentials.

By placing the CLASS/DBMD application on their public server without requiring users to provide access credentials, OCR found that DADS failed to implement access controls on all of its systems and applications throughout its enterprise.

The agency determined that DADS “failed to conduct an enterprise-wide risk analysis” and didn’t “implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule.” Because it had inadequate audit controls, DADS was “unable to determine how many unauthorized persons accessed individuals’ ePHI,” according to OCR.

“Covered entities need to know who can access protected health information in their custody at all times,” said OCR Director Roger Severino in a written statement. “No one should have to worry about their private health information being discoverable through a Google search.”

For reprint and licensing requests for this article, click here.