On November 7, 2019, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced a $1.6 million civil penalty imposed against the Texas Health and Human Services Commission (“TX HHSC”), a state agency, for violations of HIPAA Privacy and Security Rules in connection with the unauthorized disclosure of electronic protected health information (“ePHI”). The ePHI breach – which exposed names, addresses, Social Security numbers, and treatment information of at least 6,617 individuals – was first reported to OCR on June 11, 2015, by Texas’s Department of Aging and Disability Services (“DADS”).
DADS collected the ePHI for a disability assistance program and to report utilization to the Centers for Medicare & Medicaid Services pursuant to a waiver program under the Social Security Act. The exposure began when a web-based application with access to the ePHI was transferred from a secure private server to a public server, allowing unauthorized users to access the data without credentials. DADS learned of the breach from an unauthorized user who was able to access the data without inputting credentials. According to HHS, “[b]ecause of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals’ ePHI.” In 2017, DADS was folded into the TX HHSC, a state authority that administers public health services and facilities.
OCR found that TX HHSC violated the HIPAA Privacy and Security Rules by:
- impermissibly disclosing the PHI of at least 6,617 individuals by placing a web application on its public server, permitting unauthorized users to view ePHI without verifying user credentials;
- failing to implement access controls, such as requiring users to provide credentials to gain access to the ePHI;
- failing to implement audit controls, such as ensuring that the application was capable of auditing user access after it was moved to the unsecure public server; and
- failing to perform an accurate, thorough, and enterprise-wide risk analysis.
In determining the amount of the civil monetary penalty, OCR noted that the violations did not result in any known physical, financial or reputational harm to any individuals, nor hinder any individual’s ability to obtain health care. Furthermore, TX HHSC immediately removed the application once it learned of users’ unauthorized access. However, HHS also noted that DADS failed to complete an agency wide risk analysis by the date it committed to in a remediation response to OCR. HHS thus imposed a penalty of $1,000 per day, as provided for under the HITECH Act, for violations it found to be due to reasonable cause and not willful neglect.