HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Texas Department of Aging and Disability Services Discovers Potential 8-Year HIPAA Breach

The Texas Department of Aging and Disability Services (DADS) has started notifying patients of an error that resulted in a HIPAA breach that exposed the Protected Health Information (PHI) of 6,600 Medicaid recipients.

The error involved web application data being accessible via the internet when the application was intended to be for internal use only. DADS was alerted to the error on April 27, 2015, although the breach notice did not state when the error was made or for how long the data was freely available over the internet. A news report in The Statesman indicates that the data could potentially have been exposed for up to 8 years.

Investigations into the DADS HIPAA Data Breach Continue


DADS is unsure how the data breach occurred, although an investigation into the matter is ongoing. At this point in time the most likely cause of the data breach was human error, with a mistake made when the application was developed, although according to departmental spokesperson, Cecilia Cavuto, “it is possible the data had accidentally been posted online when its handling was transferred to another department last fall.”

The security breach resulted in the PHI of highly vulnerable individuals being accessible online. That information included healthcare data, personally identifiable information (PII) – names, home addresses, mailing addresses, and dates of birth – Social Security numbers and Medicaid numbers. No evidence has been uncovered – at this point in time – indicating any of the data has been accessed or used inappropriately.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Due to the length of time that the breach has been allowed to persist it is essential that breach victims check credit histories, insurance and benefits statements for any sign of fraudulent activity. The families of affected individuals should assist with this process. DADS recommends placing a fraud alert on credit, although with the data having been available online for so long it is possible that instances of fraud have already taken place.

HIPAA Breach Notification Rules


When a PHI data breach is identified, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to take immediate action to stop the breach, patients must be notified in writing and the incident must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Breach Notices should also be issued to State Attorney General’s offices as appropriate and a notice issued to the media.

The web application was taken offline on April 27 when the breach was discovered and DADS is in the process of sending breach notification letters to all affected patients. A breach notice has also been posted on the DADS website

In an effort to mitigate any risk of the data being used inappropriately, all affected individuals are being offered a year of credit monitoring and identity theft restoration services without charge. Breach notification letters are now being dispatched to the residences of affected individuals and a code is being provided which is needed to activate the credit monitoring services.

Patients should also obtain free annual credit reports from each of the three credit monitoring bureaus – Equifax, Experian and TransUnion. These should be requested at the earliest possible opportunity.

Office for Civil Rights Could Fine DADS up to $12 million for the HIPAA Violation


The OCR investigates all breach reports involving over 500 individuals. When a HIPAA violation appears to have occurred, a full compliance review can be initiated.

Cavuto said, “It looks like the application was developed without the appropriate security.” This would be a clear violation of the HIPAA Security Rule, which requires the PHI of patients to be safeguarded with technical, physical and administrative controls.

The OCR is the enforcer of HIPAA Rules and the agency can issue fines for HIPAA violations up to a maximum of $1.5 million per violation category.

However, that fine can be multiplied by the number of years that a violation has been allowed to exist, which means a financial penalty of up to $12 million could be issued. If an OCR investigation is conducted that reveals other HIPAA violations, the potential fine could be considerably higher.

The OCR does not issue fines 100% of the time, but it does investigate every single breach report to check for potential HIPAA violations and action is taken against healthcare providers and other covered entities that fail to adhere to HIPAA Rules. The agency is likely to be interested to hear why a HIPAA risk analysis did not pick up the error.

DADS is now conducting a thorough risk analysis to check for any other security vulnerabilities and will be conducting a full review of its computer systems to identify any other potential data breaches.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.