PHI of Almost 1,000 Texas Children’s Health Plan Subscribers Breached in Email

It has recently been discovered that a former employee of the Texas Children’s Health Plan has recieved the protected health information (PHI) of 932 members in a private email.

The last known incident where the former employee emailed the data was late in 2016, November and December, and the HIPAA breach was identified on September 21, 2017. The emails containing the PHI were found during a routine audit.

Texas Children’s Health Plan responded to the breach quickly and has taken steps to prevent any harm to its subscribers. The health insurance plan has also pit in place additional safeguards to prevent similar breaches from occurring in the future and staff have been re-trained on hospital policies and HIPAA Rules.

The circumstances as to why the PHI was being emailed to the personal email account have not been revealed, the breach report published to the insurance plan website explains no proof has been uncovered to suggest any plan member information has been used for ills means. However, the incident has been made known to law enforcement agencies.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, in line with the HIPAA Breach Notification Rule requirement, and all patients impacted by the incident have been alerted by mail. Breach notification letters were sent to patients on Friday, October 27, well inside the required deadline allowed by the HIPAA Breach Notification Rule.

The types of data attached to the emails was different for each patient, but typically included: Names, telephone numbers, addresses, dates of birth, Medicaid numbers, waiver type, STAR kids manager’s name and group and information contained in a budget worksheet. No financial data nor Social Security numbers were attached to the emails, although for a few of the patients, the following data was also included: Medical record numbers, medical diagnoses and clinical history.

This type of incident is relatively unusual. Several HIPAA-covered bodies have found similar incidents recently. In some scenarios, PHI is taken to provide to a new employer to target new patients for a new practice and some cases have seen PHI emailed to friends and relatives to help with data processing tasks. Some healthcare staff members have stolen data in order to commit identity theft and fraud.

HIPAA-covered bodies should be keeping an eye out for PHI theft via email. Ideally, security restrictions should be implemented to stop PHI from being emailed outside the organization IT infrastructure.