When DADS Don’t Know Best
No, we aren’t talking about Father Knows Best here. We are referencing the Department of Aging and Disability Services (DADS). In 2017 it was added to the Texas Health and Human Services Commission (HHSC), which is comprised of childcare and nursing facilities, operations of supported living centers, providing mental health and substance use services, and also administering programs for people in need. The addition of DADS cost them $1.6 million in penalties when the Office for Civil Rights fined them for potential HIPAA violations for activity dating back to 2015.
That was when DADS notified the OCR that 6,617 records for patients of the Community Living Assistance and Support Services and Deaf Blind with Multiple Disabilities’ were exposed as the result of a software flaw. This error occurred when access controls on applications and IT systems were not properly in place per HIPAA requirements. The exposure came when an application was moved from a private to a public server. A flaw in the software code allowed non-verified users to access patient information. This information included names, addresses, Social Security and Medicaid numbers, and treatment/diagnosis details.
The large monetary fine was a result of the time that Texas HHS was out of compliance in regard to the HIPAA rules. They failed to perform a security risk analysis within the deadline time frame of August 2016 and disregarded the importance of it. Additionally, they acknowledged that they had only performed “risk assessment activities” on their servers and applications but had never performed an agency-wide analysis.
We can only hope that when one firm acquires or absorbs another, they are aware of the dangerous implications that can happen if they are not fully aware of their past transgressions.