Search Results : texas » PHIprivacy.net

Sep 292014
 

The University of Florida and the Texas Health and Human Services Commission (HHSC) are partners for the Texas Wellness Incentives and Navigation (WIN) Project for Medicaid patients.

In a newly disclosed breach, the University of Florida, acting as a partner of the HHSC, sent letters to Houston area physicians requesting health records for WIN project enrollees.  Due to a reported mail merge error, however, some University inquiries were mistakenly sent to the wrong physician.  UF reports that the only information shared with the incorrect physician was the patient’s name, Medicaid STAR+PLUS identification number, and date of birth.

According to the notification letter sent to affected patients last week, the error occurred in November 2013 and was first reported to a University Institutional Review Board on March 3, 2014. The Texas HHSC was also notified about the event on March 22, 2014.

Soon after, the Texas Office of the Inspector General investigated a possible breach complaint and on August 24, 2014 the Texas HHSC Privacy Officer determined that patient notification was required.

There is no explanation as to when UF first discovered the mistake, why  it took so long  for them to notify their Institutional Review Board and Texas HHSC, or why it took the Texas OIG so long so determine that patient notification was required.  Nor does UF mention whether they ever asked the physicians receiving the incorrect requests to securely shred the inquiries nor why they had not come to their own determination that notification was required under HIPAA.

Those affected were not offered any credit monitoring services, and because the recipients of the mis-mailings were HIPAA covered entities, the risk to patients should be relatively low. Although we know that in other cases, there are doctors who misuse Medicaid numbers for fraud schemes, credit monitoring would not really help here.

Related:

Sep 182014
 

Brian Krebs reports:

How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach.

[…]

Last week, a reader alerted this author to a merchant on Evolution Market nicknamed “ImperialRussia” who was advertising medical records for sale. ImperialRussia was hawking his goods as “fullz” — street slang for a package of all the personal and financial records that thieves would need to fraudulently open up new lines of credit in a person’s name.

Each document for sale by this seller includes the would-be identity theft victim’s name, their medical history, address, phone and driver license number, Social Security number, date of birth, bank name, routing number and checking/savings account number. Customers can purchase the records using the digital currency Bitcoin.

[…]

Sure enough, the source who alerted me to this listing had obtained numerous fullz from this seller. All of them contained the personal and financial information on people in the Northwest United States (mostly in Washington state) who’d applied for life insurance through American Income Life, an insurance firm based in Waco, Texas.

Read more on KrebsOnSecurity.

Aug 282014
 

From Courthouse News:

Texas has sued fired Medicaid claims administrator Xerox for the second time in four months, claiming its failure to return client medical records exposes the state to massive federal fines for violations of privacy.

The Texas Health and Human Services Commission sued Xerox State Healthcare in Travis County Court on Tuesday.

The commission claims that on July 31, Xerox employees removed company laptops and 244 boxes of documents from its offices after the state terminated the parties’ agreement and sued.

The commission believes the information includes client names, photographs, birthdates, medical and billing records.

Read more on Courthouse News.

h/t, Joe Cadillic

Update: The state’s press release can be found here. PHIprivacy.net has emailed Xerox for a statement and will either update this entry or create a new one if and when more information becomes available.

Update 2: Xerox provided PHIprivacy.net with the following statement:

On August 1, Xerox completed the transition of the State of Texas’ Medicaid contract to a new vendor. This transition was accomplished with complete transparency and with the full knowledge and participation of the Health and Human Services Commission. The retention of property includes Xerox material such as computer monitors, televisions, human resource files, internal financial records and Xerox branded collateral and posters, while the data represents proprietary Xerox information and was retained with the State’s knowledge who declined repeated opportunities to review the material. Last month, Xerox asked the Travis County District Court to rule on our retention of this information and a court date is set for next month.

The Xerox spokesperson also kindly provided a copy of the motion they filed last month in Travis County Court, which I have uploaded here (pdf).

You get a somewhat different impression when you get both sides of the story, don’t you?

 

Jul 252014
 

AP reports the conviction of a doctor in a case previously noted on this blog:

A North Texas physician who ran a now-closed hospital near Dallas has been convicted of conspiracy, identity theft and health care fraud.

A federal jury in Tyler found Dr. Tariq Mahmood guilty Thursday of more than $1 million in fraudulent Medicare and Medicaid claims.

The Cedar Hill physician faces up to 10 years imprisonment for the conspiracy conviction, 10 years for each fraud count and two years for each identity theft count. No sentencing date has been set.

Read more on Daily Reporter, although it’s not clear from publicly available info which patients (from which facilities) had their Medicare or Medicaid numbers misused as part of the fraud and whether they were ever notified of same.