Share this article on:
A bizarre mistake by the Texas Health and Human Services Commission has seen a former employee sent the protected health information of approximately 100 patients after she had been fired. She was sent boxes containing items that had been collected from her old desk, but was also sent a box of benefits application forms.
After Tracy Ryans, 51, of Houston, was terminated, HHSC mailed her two boxes containing her personal items, which were left on her porch by the delivery driver. One of the boxes contained personal belongings that included pens, a coffee cup, and old shoes. The other box contained paperwork.
Ryans told the Texas Tribune that one of the boxes contained personal items that did not belong to her. They had been taken from a desk she shared with coworkers. The other box was full of paperwork containing highly sensitive personal information of clients.
The paperwork included benefits applications that included the Social Security numbers, billing statements, copies of driver’s licenses, and check stubs relating to approximately 100 individuals. The documents were dated April 13, 2018 – 15 days after Ryans had been terminated.
Ryans contacted the Texas State Employees Union to seek advice about what she should do with the paperwork, after becoming concerned that she might be accused of stealing the documents. She was given assistance returning the paperwork to HHSC.
The reason for Ryans termination after 9 years working for HHSC was an alleged failure to ensure the security of client information and violating HIPAA Rules – something Ryans denies. The mailing of PHI to Ryans, who had no legal right to hold the information, would be considered a violation of HIPAA Rules in itself. However, at this stage HHSC has yet to confirm what sensitive information was detailed in the documents and whether HIPAA Rules had been accidentally violated.
The incident is currently being investigated by HHSC and the potential privacy breach has been reported to the Office of Inspector General. If it is confirmed that sensitive information was exposed and HIPAA Rules were violated, steps will be taken to remedy the breach and affected individuals will be notified.