Share this article on:
The Texas Department of Aging and Disability Services (DADS) has started notifying patients of an error that resulted in a HIPAA breach that exposed the Protected Health Information (PHI) of 6,600 Medicaid recipients.
The error involved web application data being accessible via the internet when the application was intended to be for internal use only. DADS was alerted to the error on April 27, 2015, although the breach notice did not state when the error was made or for how long the data was freely available over the internet. A news report in The Statesman indicates that the data could potentially have been exposed for up to 8 years.
Investigations into the DADS HIPAA Data Breach Continue
DADS is unsure how the data breach occurred, although an investigation into the matter is ongoing. At this point in time the most likely cause of the data breach was human error, with a mistake made when the application was developed, although according to departmental spokesperson, Cecilia Cavuto, “it is possible the data had accidentally been posted online when its handling was transferred to another department last fall.”
The security breach resulted in the PHI of highly vulnerable individuals being accessible online. That information included healthcare data, personally identifiable information (PII) – names, home addresses, mailing addresses, and dates of birth – Social Security numbers and Medicaid numbers. No evidence has been uncovered – at this point in time – indicating any of the data has been accessed or used inappropriately.
Due to the length of time that the breach has been allowed to persist it is essential that breach victims check credit histories, insurance and benefits statements for any sign of fraudulent activity. The families of affected individuals should assist with this process. DADS recommends placing a fraud alert on credit, although with the data having been available online for so long it is possible that instances of fraud have already taken place.
HIPAA Breach Notification Rules
When a PHI data breach is identified, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to take immediate action to stop the breach, patients must be notified in writing and the incident must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Breach Notices should also be issued to State Attorney General’s offices as appropriate and a notice issued to the media.
The web application was taken offline on April 27 when the breach was discovered and DADS is in the process of sending breach notification letters to all affected patients. A breach notice has also been posted on the DADS website
In an effort to mitigate any risk of the data being used inappropriately, all affected individuals are being offered a year of credit monitoring and identity theft restoration services without charge. Breach notification letters are now being dispatched to the residences of affected individuals and a code is being provided which is needed to activate the credit monitoring services.
Patients should also obtain free annual credit reports from each of the three credit monitoring bureaus – Equifax, Experian and TransUnion. These should be requested at the earliest possible opportunity.
Office for Civil Rights Could Fine DADS up to $12 million for the HIPAA Violation
The OCR investigates all breach reports involving over 500 individuals. When a HIPAA violation appears to have occurred, a full compliance review can be initiated.
Cavuto said, “It looks like the application was developed without the appropriate security.” This would be a clear violation of the HIPAA Security Rule, which requires the PHI of patients to be safeguarded with technical, physical and administrative controls.
The OCR is the enforcer of HIPAA Rules and the agency can issue fines for HIPAA violations up to a maximum of $1.5 million per violation category.
However, that fine can be multiplied by the number of years that a violation has been allowed to exist, which means a financial penalty of up to $12 million could be issued. If an OCR investigation is conducted that reveals other HIPAA violations, the potential fine could be considerably higher.
The OCR does not issue fines 100% of the time, but it does investigate every single breach report to check for potential HIPAA violations and action is taken against healthcare providers and other covered entities that fail to adhere to HIPAA Rules. The agency is likely to be interested to hear why a HIPAA risk analysis did not pick up the error.
DADS is now conducting a thorough risk analysis to check for any other security vulnerabilities and will be conducting a full review of its computer systems to identify any other potential data breaches.