The Texas Health and Human Services Commission received a $1.6 million penalty from the U.S. Department of Health and Human Services for releasing protected health information of 6,617 individuals. The PHI was on a public server for which a flawed software code allowed people to access the server without proper user credentials.
Data disclosed included names addresses, Social Security Numbers, treatments and diagnosis information. The Texas department was not able to determine how many unauthorized people accessed the PHI. The Texas department accepted the penalty and recognized its shortcomings in a lack of controls.