The Health and Human Services Commission (HHSC) in Texas discovered multiple agency workers who have violated the HIPAA Privacy Rule. The workers were found to have accessed the information of 61,000 people who acquired agency services with no legitimate work reason and without HHSC’s authorization.
The information impermissibly viewed includes complete names, home addresses, phone numbers, birth dates, Social Security numbers, Medicare and Medicaid numbers, financial data, job details, benefits data, medical insurance data, medical certificates, and other personal data. The types of data viewed differ from one person to another.
HHSC discovered the unauthorized access on November 21, 2024, and conducted an internal investigation, which revealed that the unauthorized access happened from June 2021 to December 2024. HSCC didn’t reveal how many agency workers were involved, why the unauthorized access occurred, how it discovered the privacy violation, or why it took such a long time to know about the unauthorized access.
Because the privacy violations carried on for 3.5 years, it shows that HHSC wasn’t checking access records to determine unauthorized access by workers or that the tracking systems were not useful. HHSC stated that the incident had been reported to the Texas Health and Human Services Office of Inspector General (OIG) and will be investigated, The OIG will also work with prosecutor offices to file criminal charges against the people responsible.
HHSC mailed the notification letters to the impacted people who were instructed to properly evaluate their accounts and statements obtained from their medical care providers, financial organizations, and insurance firms for possible fraudulent transactions and notify them of these suspicious transactions. Individuals who received services with the Supplemental Nutrition Assistance Program (SNAP) were instructed to keep track of fraudulent activity in their Lone Star Card transactions. Investigations are ongoing to know the effect on other HHSC services, and other impacted people that might be identified.
The impacted people were provided free credit monitoring and identity theft protection services. HHSC mentioned that it is improving its internal security settings and is focusing on applying extra fraud prevention procedures, such as improving monitoring and warnings to identify suspicious activity and providing HIPAA training to employees.