Texas Health and Human Services Commission Fires Multiple Employees Over 3.5-Year Privacy Breach
The Texas Health and Human Services Commission (HHSC) has identified HIPAA Privacy Rule violations by multiple agency employees, who have been discovered to have accessed the records of 61,104 individuals who received agency services without a legitimate work reason for doing so and without authorization from HHSC.
The data impermissibly accessed includes full names, home addresses, telephone numbers, dates of birth, Medicaid and Medicare numbers, Social Security numbers, financial information, employment information, benefits information, health insurance information, and medical, certificate, license, and other personal information. The types of information accessed vary from individual to individual.
HHSC said the unauthorized access was detected on November 21, 2024, and the internal investigation determined that the unauthorized access occurred between June 2021 and December 2024. HSCC did not initially disclose the number of agency employees involved, the reasons for the unauthorized access, how the privacy breaches were identified, or why it took so long to discover the unauthorized access. It has since been confirmed that 9 employees have been terminated over the privacy violations, three of whom have had cases referred to local prosecutors, two of whom allegedly changed personal information numbers on Lone Star food stamp cards and made illegal purchases.
Since the privacy violations continued for three and a half years, it suggests that HHSC was not monitoring access logs to identify unauthorized access by employees, or the monitoring systems were ineffective. HHSC said it has referred the incident to the Texas Health and Human Services Office of Inspector General (OIG) for investigation and to coordinate with prosecutor offices to pursue criminal charges against the individuals involved.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notification letters have been mailed to the affected individuals who have been advised to carefully review their accounts and statements received from their healthcare providers, insurance companies, and financial institutions for signs of fraudulent activity and report any suspicious charges to the relevant institution. Recipients of services under the Supplemental Nutrition Assistance Program (SNAP) have been advised to monitor their Lone Star Card transactions for fraudulent activity. Investigations continue to determine the impact on other HHSC programs, and HHSC said further individuals may be identified as affected as the investigation progresses.
The affected individuals have been offered complimentary credit monitoring and identity theft protection services. HHSC said it is strengthening its internal security controls and is working on implementing additional fraud prevention measures, including enhancing monitoring and alerts to detect suspicious activity.
