PHI of Almost 1,000 Texas Children’s Health Plan Subscribers Breached in Email

by | Nov 6, 2017

It has recently been discovered that a former employee of the Texas Children’s Health Plan has recieved the protected health information (PHI) of 932 members in a private email.

The last known incident where the former employee emailed the data was late in 2016, November and December, and the HIPAA breach was identified on September 21, 2017. The emails containing the PHI were found during a routine audit.

Texas Children’s Health Plan responded to the breach quickly and has taken steps to prevent any harm to its subscribers. The health insurance plan has also pit in place additional safeguards to prevent similar breaches from occurring in the future and staff have been re-trained on hospital policies and HIPAA Rules.

The circumstances as to why the PHI was being emailed to the personal email account have not been revealed, the breach report published to the insurance plan website explains no proof has been uncovered to suggest any plan member information has been used for ills means. However, the incident has been made known to law enforcement agencies.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, in line with the HIPAA Breach Notification Rule requirement, and all patients impacted by the incident have been alerted by mail. Breach notification letters were sent to patients on Friday, October 27, well inside the required deadline allowed by the HIPAA Breach Notification Rule.

The types of data attached to the emails was different for each patient, but typically included: Names, telephone numbers, addresses, dates of birth, Medicaid numbers, waiver type, STAR kids manager’s name and group and information contained in a budget worksheet. No financial data nor Social Security numbers were attached to the emails, although for a few of the patients, the following data was also included: Medical record numbers, medical diagnoses and clinical history.

This type of incident is relatively unusual. Several HIPAA-covered bodies have found similar incidents recently. In some scenarios, PHI is taken to provide to a new employer to target new patients for a new practice and some cases have seen PHI emailed to friends and relatives to help with data processing tasks. Some healthcare staff members have stolen data in order to commit identity theft and fraud.

HIPAA-covered bodies should be keeping an eye out for PHI theft via email. Ideally, security restrictions should be implemented to stop PHI from being emailed outside the organization IT infrastructure.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy