The inadvertent release of names, addresses, Social Security numbers and treatment information between 2013 and 2017 violated federal health privacy laws, resulting in the fine, said officials with the Office for Civil Rights at the U.S. Department of Health and Human Services.
“No one should have to worry about their private health information being discoverable through a Google search,” said Roger Severino, director of the Office for Civil Rights.
According to the federal agency, the information was held by the Texas Department of Aging and Disability Services, which provided long-term care for elderly Texans and those with physical and intellectual disabilities before it was reorganized into the Health and Human Services Commission in 2017.
The breach occurred when an internal application was moved from a private, secure server to a public server, where a software flaw allowed the private information to be viewed without access credentials.
The Office of Civil Rights’ investigation also determined that the Texas agency failed to conduct a risk analysis and implement access and audit controls on its information systems as required by the Health Insurance Portability and Accountability Act, the privacy law commonly known as HIPAA.
Because of inadequate audit controls, the Texas agency was unable to determine how many unauthorized people viewed the private information, the federal investigation concluded.
The Texas Legislature in May approved a settlement agreement with the federal government, including the $1.6 million fine, to end the matter.
Kelli Weldon, a press officer for the Texas health agency, said officials take information security and privacy seriously.
“We are continually examining ways to strengthen our processes for the health and safety of Texans,” Weldon said.