The Texas Health and Human Services Commission (TX HHS) must pay a civil penalty of $1.6 million for having violated HIPAA.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) imposed the penalty in response to HIPAA violations that took place between 2013 and 2017. Prior to reorganizing under its current name in September 2017, TX HHS was known as the Department of Aging and Disability Services (DADS). This state agency filed a breach report with OCR in June 2015 in which it stated that a security incident had exposed the electronically protected health information (ePHI) of 6,617 individuals. That data included victims' names, Social Security Numbers and treatment records. The breach report traced the incident to a period when DADS migrated an internal application from a private, secure server to a public server. A software code flaw had then allowed anyone to access the ePHI. In its analysis of the breach, OCR found that DADS had failed to conduct an enterprise risk-management review. It also found that the agency had failed to implement proper access controls on its information systems, a security measure required under HIPAA. This failure prevented OCR from determining how many people had accessed the exposed ePHI. Roger Severino, director of the OCR, said in an HHS statement that the monetary penalty was justified:
Covered entities need to know who can access protected health information in their custody at all times. No one should have to worry about their private health information being discoverable through a Google search.
This announcement follows just a few weeks after the OCR announced a civil money penalty of $2.15 million against Jackson Health System (JHS) after the Miami-based nonprofit academic medical system violated some of HIPAA’s provisions back in 2013. These incidents highlight the importance of organizations making sure they're in compliance with HIPAA. Tripwire can help in that regard.