Texas Health and Human Services Commission Affected by Insider Breach at Business Associate
The Texas Health and Human Services Commission (HHSC) has been affected by an insider breach at one of its business associates, Maximus US Services. The unauthorized access was discovered by the Texas HHSC while investigating its own insider data breach.
In January 2025, the Texas HHSC announced that several employees had accessed the protected health information of approximately 61,104 individuals without authorization over the previous three and a half years. During the course of the investigation, the Texas HHSC identified unauthorized access to HHSC program data by a Maximus employee. Maximus was notified about the data breach and promptly terminated the employee’s access to HHSC program data while the incident was investigated. Maximus confirmed that the employee no longer works for the company.
Maximus said its investigation confirmed that it was an isolated incident involving a single employee, and that it was assisting the HHSC Office of Inspector General with its investigation. As a precaution against identity theft and fraud, Maximus has offered the affected individuals two years of complimentary credit monitoring and identity theft protection services. The HHS’ Office for Civil Rights was recently informed that up to 4,529 individuals were affected.
Sonrisas Dental Health
Sonrisas Dental Health in San Mateo, California, has issued prompt notifications to 15,644 individuals about a recent data security incident. Unauthorized access to its computer network was first identified on March 4, 2025. Sonrisas Dental Health said steps were quickly taken to secure its network and investigate the unauthorized activity, and on or around April 14, 2025, it was confirmed that unauthorized individuals had accessed and acquired certain files from its network, some of which contained sensitive patient data. The Bianlian cyber threat group has claimed responsibility for the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Data potentially compromised in the incident includes names, driver’s license numbers, Social Security numbers, dates of birth, and protected health information such as dental images. Since April 14, 2025, Sonrisas Dental Health has been working to obtain up-to-date contact information to allow notification letters to be mailed. The security breach was reported to the Federal Bureau of Investigation, regulators were notified, and measures have been implemented to enhance network security. Individual notifications were issued on May 5, 2025.
No evidence was found to indicate that any of the data exposed in the incident had been misused at the time of issuing notifications. As a precaution against data misuse, Sonrisas Dental Health has arranged for the affected individuals to be provided with complimentary single-bureau credit monitoring and credit score services.
