The Texas Health and Human Services Commission has been hit with a $1.6 million HIPAA fine, the HHS' Office for Civil Rights announced Thursday.
The fine follows the OCR's investigation into a data breach at the Texas Department of Aging and Disability Services, an agency that became part of the Health and Human Services Commission in 2017. The commission is part of the broader Texas Health and Human Services System.
The commission did not immediately respond to a request for comment.
In 2015, the Department of Aging and Disability Services reported to OCR that 6,617 people's protected health information had been exposed online, including their names, addresses, Social Security numbers and treatment information.
The breach occurred when an internal application had been moved from a private, secure server to a public server, according to the OCR. A flaw in the software code allowed the health data to be viewable online without a user needing to input access credentials.
The department wasn't able to determine how many unauthorized people had accessed the health data when it was available.
After an investigation, the OCR determined that the department neglected to implement appropriate access and audit controls on its information systems as required by HIPAA, and failed to conduct an enterprisewide risk analysis.
"Covered entities need to know who can access protected health information in their custody at all times," OCR Director Roger Severino said in a statement. "No one should have to worry about their private health information being discoverable through a Google search."
The fine against the Texas agency marks the second HIPAA fine doled out by the OCR this week. The OCR on Tuesday said University of Rochester Medical Center in New York had agreed to pay $3 million in response to multiple instances of the health system reportedly failing to encrypt mobile devices.