Breach of PHI at Texas Children’s Health Plan After Staff Member Sent Emails to Personal Account

A breach of HIPPA has occurred at the Texas Children’s Health Plan after it has been found that the protected health information (PHI) of 932 clients has been emailed to the personal private email account of a former member of staff.

The violation of privacy was incident was first seen on September 21, 2017, although it was discovered that the former member of staff emailed the private data in November and December 2016. The emails included in the breach were discovered during a routine review of the organization’s IT infrastructure.

Texas Children’s Health Plan moved quickly once the breach was found and took steps toto mitigate risk. The health insurance plan has also adapted additional security measures to prevent similar breaches incidents from being experienced in the future and staff members have been re-trained on hospital policies and HIPAA Rules.

While the reason for the PHI being emailed to the personal email account has not been publicly revealed, the breach report made public on the Texan Children’s Plan website states that no evidence has been uncovered to suggest any plan member information has been used inappropriately. However, law enforcement agencies have been made aware of the breach.

As per the stipulations in the HIPAA Breach Notification Rule, the breach incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and all patients affected by the incident have been made aware of it by mail. Breach notification correspondence were sent to patients on Friday, October 27, well inside the maximum deadline required by the HIPAA Breach Notification Rule.

The types of data included in the emails were different for each individual affected, but typically included: Names, telephone numbers, addresses, dates of birth, Medicaid details, waiver type, STAR kids manager’s name and group, and details included in a budget worksheet. No financial details or Social Security data was stored in the emails, although for a few of those affected, the following information was also included int he emails broadcast: Medical record numbers, medical diagnoses, and clinical details and histories.

This type of HIPAA breach is see quite often. Several HIPAA-covered organizations have identified similar incidents in recent months. In lots of instances, PHI is taken to supply to a new employer to attract patients to a new practice and some cases have seen PHI broadcast to acquaintances and relatives to aid with data processing tasks. Some healthcare employees have also obtained data in order to commit identity theft and fraud.

HIPAA-covered organization must be reviewing to check for PHI theft via email on a regular basis. It is recommended that restrictions be adapted in order to prevent PHI from being emailed outside the organization in any instance..

Author: Elizabeth Hernandez

Elizabeth Hernandez works as a reporter for Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: