HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Texas Health Resources Notifies 4,000 Patients of Email Account Breach

Arlington-based Texas Health Resources, a provider group serving more than 1.7 million patients in North Texas, is notifying ‘fewer than 4,000 patients’ that some of their sensitive information may have been accessed by an unauthorized individual. The data breach occurred as early as October 2017, although it was not discovered until January 17, 2018, when the health system was notified of a breach by law enforcement. The potentially compromised data was saved in email accounts that the attacker had access to for up to three months.

The delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered entities are permitted to delay the issuing of notifications if law enforcement believes such an act would impede an investigation. Law enforcement has only recently given the OK to start sending notifications. It is unclear whether the law enforcement investigation resulted in the apprehension of a suspect.

Texas Health Resources explained in its substitute breach notice that the incident was part of a larger attack that affected multiple entities across the United States. It is currently unclear which other healthcare organizations were also targeted by the attacker and therefore the true scale of the campaign.

Texas Health Resources conducted its own internal investigation into the breach and determined that the compromised email accounts contained information such as names, dates of birth, Social Security numbers, medical record numbers, drivers’ license numbers, state ID numbers, insurance information, and clinical information. Most of the affected individuals had received medical services at Texas Health Resources facilities in 2017.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Individuals whose Social Security numbers were exposed have been offered complimentary identity theft and credit monitoring services for one year without charge. No reports have been received to suggest any of the information has been misused.

Texas Health continuously works on improving its safeguards to keep protected health information confidential and secure and will be enhancing security monitoring to ensure any future security incidents are detected rapidly in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.