The Office for Civil Rights (OCR) announced that it has fined the Texas Health and Human Services Commission (TXHHS) $1.6 million for HIPAA violations. This is one of the few fines the OCR has levied against a state agency.

The fine centers around a data breach that TXHHS self-reported to the OCR in June 2015 regarding the personal health information (PHI) of 6,617 individuals that was viewed over the Internet. The information that is publicly accessible includes the individuals’ names, addresses, Social Security numbers and treatment information.

The OCR found that in addition to the data breach, TXHHS failed to conduct an enterprise-wide security risk analysis, failed to implement access and audit controls on the information technology system, and was unable to determine how many people accessed the PHI while it was publicly accessible.

The fines imposed were for violations that occurred from 2013 to 2019 and were for the maximum amounts proposed by the OCR to be assessed against TXHHS. Although the OCR provided TXHHS with the opportunity to provide “written evidence of mitigating factors or affirmative defenses and/or written evidence in support of a waiver of a CMP within thirty (30) days from the date of the receipt of the letter,” TXHHS did not respond.

According to the OCR, “No one should have to worry about their private health information being discoverable through a Google search.”