Texas Health Agency Fined $1.6m for Data Breach

A fine of $1.6m has been meted out to the Texas Health and Human Services Commission for unintentionally exposing the personal health information of thousands of vulnerable people online.

The Texan commission inadvertently made the names, addresses, Social Security numbers, and treatment information of 6,617 people visible on the internet between 2013 and 2017. 

The breach occurred when an internal application was moved to a public server from a private server. A flaw in the app's software then made the sensitive information visible to the public without any need for access credentials to be entered.

According to federal agency the Office for Civil Rights (OCR), the data exposed in the breach was in the care of the Texas Department of Aging and Disability Services. Before it was reorganized into the Health and Human Services Commission in 2017, the department's role was to provide long-term care to Texans with physical and mental disabilities and to the elderly.  

The OCR said the data breach was a violation of federal health privacy laws.

"No one should have to worry about their private health information being discoverable through a Google search," said Roger Severino, director of the Office for Civil Rights.

An investigation into the breach by the OCR found the audit controls in place at the Health and Human Services Commission to be inadequate. Because of this, the federal agency was unable to come up with an exact number for how many unauthorized people had viewed the private information.

A further determination of the OCR investigation was that the Texas health agency failed to conduct a risk analysis and implement access and audit controls on its information systems as required by the Health Insurance Portability and Accountability Act, commonly known as HIPAA.

In May, the Texas Legislature approved a settlement agreement with the federal government to bring the matter to a conclusion, which included accepting the hefty $1.6m fine.

Kelli Weldon, a press officer for the Texas health agency, said officials take information security and privacy seriously.

"We are continually examining ways to strengthen our processes for the health and safety of Texans," Weldon said.

The substantial fine is the second seven-figure penalty imposed by the OCR this month after the University of Rochester Medical Center was fined $3m on November 5 for failing to encrypt mobile devices.

What’s Hot on Infosecurity Magazine?