- Tracy Ryans, a former employee of the Texas Health and Human Services Commission fired for an alleged HIPAA violation, recently received a box full of state assistance applications chock full of personal information from her former employer, the Texas Tribune reported April 25.
The applications included Social Security numbers, green cards, billing statements, check stubs, and driver’s licenses.
“I didn’t know what to do with [the box],” Ryans told the Tribune. “The only thing that was going through my mind was, ‘This is a violation,’ because I don’t know what to do with this stuff.”
Ryans was fired from the agency after nine years for allegedly not securing client information in violation of HIPAA, a charge which she denies.
She received two boxes from her former employer. One contained items from a desk that she shared with other employees. The other contained the applications with the personal information.
“Once I opened it I left it in there, I didn’t want to pull it out or anything,” Ryans said. “I was like, ‘This is unusual,’ and [HHSC] said, ‘Well, how many pieces do you think it is? Like five pieces, 15 pieces?’ I’m like, ‘No, it’s a stack, it’s a box.’” In fact, there was information on more than 100 individuals.
HHSC told Ryans that she had to return the box with the applications, and they could arrange for the box to be picked up at her house. Instead, Ryan went with a representative of the Texas State Employees Union to the HHSC office with the box.
“You tell me I’ve been in violation of HIPAA, but then y'all turn around and send me something and do the same thing that I’ve never done,” Ryans said of the agency. Apparently, no one at the agency saw the irony of the error.
The commission’s Office of the Inspector General is investigating the matter, Kelli Weldon, an HHSC spokesperson, confirmed with the Tribune. Weldon said that action will be taken if this is determined to be a HIPAA violation.
“The results of an investigation determine what disciplinary actions, mitigation measures, notices to affected individuals and other steps in response to the incident are appropriate,” Weldon said in an email statement.
Jamie Sorley, a privacy attorney in Dallas, told the Tribune that it is not clear that protected health information (PHI) was in the applications, so it may not have been a HIPAA violation.
“Good data security practices require organizations to safeguard sensitive information and require employers to terminate an employee’s access to information when the employee no longer requires such access to perform her job,” Sorley said.
Myko Gedutis, an organizer with the Texas State Employees Union, said that HHSC has a history of poor data security practices. Gedutis cited an incident last year in which 1,842 individuals had their personal information exposed when a box of forms was left beside a dumpster.
The information on the forms included names, client numbers, dates of birth, case numbers, phone numbers and possibly mailing addresses, Social Security numbers, health information, and bank accounts.
In that breach, HHSC said it was providing free credit monitoring services to individuals affected.
“HHSC is committed to ensuring that our clients' confidential information is secure,” it said at the time. “The agency is investigating this event and taking steps to secure confidential information and reduce the chances of this event happening again. HHSC is reviewing its processes and procedures for disposing of and destroying documents that contain private information, and making any changes needed to prevent this type of event in the future,” it added.
Apparently, the agency did not take the necessary steps to prevent this most recent data breach from happening.
Although not discussed in the Texas Tribune article, the error could be a breach of the state data breach notification law if the agency does not notify potential victims. Personal information covered by the law is a combination of the name and second data element, which includes Social Security number; driver’s license number; or bank account, credit card, or debit card number if accompanied by PIN, password, or access code.
As for Ryans, she continues to look for another job, although she liked the worked she did at HHSC.
“When you work there as long as I have, some of the clients became accustomed to me,” she told the Tribune.
“That was the plus about the job, especially when people come in and they get up on their feet and say, ‘I don’t have to come and fill out this form no more’... You have your positive moments, and you try to help them. That was the joy of the job.”