Texas Department of Aging and Disability Services To Pay $1.6 Million Settlement Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights and the Texas Department of Aging and Disability Services (DADS) have reached a settlement to resolve the HIPAA violations that contributed to a 2015 data breach that exposed 6,617 Medicaid recipients’ protected health information (PHI).

The breach was due to a web application error which allowed free access to ePHI over the web for about 8 years. On June 11, 2015, DADS reported the breach to OCR.

OCR started a breach investigation to assess whether HIPAA Rules had been violated. On July 2015, OCR informed DADS that the results of the investigation showed several violations of HIPAA Rules had been identified.

DADS was found to have violated 45 C.F.R. § 164.308(a)(1)(ii)(A), which is the risk analysis condition of the HIPAA Security Rule. DADS failed to perform a detailed, organization-wide risk analysis to determine potential risks to ePHI.

There were also violations of 45 C.F.R. § 164.308(a)(4) and 45 C.F.R. § 164.312(a)(1). DADS failed to employ proper technical policies and procedures to ensure only authorized persons can access systems containing ePHI.

5 C.F.R. § 164.312(b) was also violated. There’s no implementation of suitable hardware, software, and procedural systems to log and analyze information system activity.

Because of these violations, an impermissible disclosure of ePHI occurred.

The seriousness of the violations called for the issuance of a financial penalty and corrective action plan. The two were presented to the State of Texas and DADS was granted the chance to carry out the measures specified in the CAP to address the violations. Since the breach occurred, the functions and resources involved in the breach were transferred to the Health and Human Services Commission (HHSC).

The State of Texas submitted a counter proposal for a settlement agreement, which will see the CMS deduct $1,600,000 from sums payable to HHSC. Under the settlement, HHSC is released from any other actions associated with the breach. HHSC agreed not to contest the settlement or CAP.

OCR has not yet announced the settlement, though the 86th Legislature of the State of Texas has approved it. This is going to be the first HIPAA settlement between a HIPAA covered entity and OCR in 2019.