Presented by the Privacy and Data Security Practice Group

Legal Updates for Privacy and Data Security - November 2019

Office of Civil Rights Levies $1.6M Fine Against Texas Health and Human Services Commission for 2017 Data Breach

The Office of Civil Rights (OCR) recently announced that the Texas Health and Human Services Commission was fined $1.6 million for a 2017 data breach that included the personal health information of over 6,600 individuals. The information, which was publicly available online as a result of the breach, included names, addresses, social security numbers and individuals’ health treatment information for approximately four years.

The OCR appeared to be particularly concerned that the personal information was publicly available online and could have been accessed through a simple Google search. The information had been held by the Texas Department of Aging and Disability Services, which provides long-term care for the elderly and to others with physical and mental disabilities. A software flaw was reported to have been the cause of the breach. The Texas agency was also found to have failed to conduct a risk analysis and to implement access and audit controls on its information systems as required by HIPAA. As a result, the Texas agency was reportedly unable to determine how many unauthorized individuals actually viewed the publicly available personal information. Interestingly, the Texas legislature had to approve the settlement, which included the $1.6 million fine.

This substantial penalty once again demonstrates that businesses and governmental agencies must be ever vigilant with their data security. While larger data breaches dominate the news, even small ones–in this instance, a breach that only affected 6,600 individuals–can still lead to significant fines and penalties by federal and state regulators.  


The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. If you receive the alerts in error, please send a note to ATTORNEY ADVERTISING pursuant to New York RPC 7.1. © 2019 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.