PHI of Almost 1,000 Texas Children’s Health Plan Subscribers Breached in Email

by Ryan Coyne | Nov 6, 2017

Texas Children’s Health Plan HIPAA Email Breach

It has recently been discovered that a former employee of the Texas Children’s Health Plan has recieved the protected health information (PHI) of 932 members in a private email.

The last known incident where the former employee emailed the data was late in 2016, November and December, and the HIPAA breach was identified on September 21, 2017. The emails containing the PHI were found during a routine audit.

Texas Children’s Health Plan responded to the breach quickly and has taken steps to prevent any harm to its subscribers. The health insurance plan has also pit in place additional safeguards to prevent similar breaches from occurring in the future and staff have been re-trained on hospital policies and HIPAA Rules.

The circumstances as to why the PHI was being emailed to the personal email account have not been revealed, the breach report published to the insurance plan website explains no proof has been uncovered to suggest any plan member information has been used for ills means. However, the incident has been made known to law enforcement agencies.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, in line with the HIPAA Breach Notification Rule requirement, and all patients impacted by the incident have been alerted by mail. Breach notification letters were sent to patients on Friday, October 27, well inside the required deadline allowed by the HIPAA Breach Notification Rule.

The types of data attached to the emails was different for each patient, but typically included: Names, telephone numbers, addresses, dates of birth, Medicaid numbers, waiver type, STAR kids manager’s name and group and information contained in a budget worksheet. No financial data nor Social Security numbers were attached to the emails, although for a few of the patients, the following data was also included: Medical record numbers, medical diagnoses and clinical history.

This type of incident is relatively unusual. Several HIPAA-covered bodies have found similar incidents recently. In some scenarios, PHI is taken to provide to a new employer to target new patients for a new practice and some cases have seen PHI emailed to friends and relatives to help with data processing tasks. Some healthcare staff members have stolen data in order to commit identity theft and fraud.

HIPAA-covered bodies should be keeping an eye out for PHI theft via email. Ideally, security restrictions should be implemented to stop PHI from being emailed outside the organization IT infrastructure.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter