Terminated Employee Got Hold of PHI of 100 Patients

A former employee of Texas Health and Human Services Commission (HHSC) got hold of the protected health information of about 100 patients after being terminated from work. She had collected personal items from her old desk and put them in boxes after being fired. Benefits application forms were included in the boxes by mistake.

The name of the terminated employee is Tracy Ryans, 51 years old. HHSC mailed the boxes containing Tracy’s personal items, which the delivery driver left on her porch. One box contained her personal items including pens, old shoes and a coffee cup. The other box contained paperwork containing highly sensitive information of clients. Ryans told Texas Tribune that those items did not belong to her. They were items from a desk she shared with co-employees.

The paperwork were benefits applications of about 100 clients and contained information such as Social Security numbers, copies of driver’s licenses, billing statements and check stubs. The files were dated April 13, 2018, which is 15 days after Ryans left HHSC.

Ryans sought advice from Texas State Employees Union regarding what she must do with the documents. She was afraid that she will be accused of stealing the papers. She was able to return the paperwork to HHSC with the union’s assistance.

Ryans was terminated after 9 years of working with HHSC because she allegedly failed to ensure the security of client information and violated HIPAA Rules. Ryans denies all these allegations. The mailing of the PHI to Ryans is also considered a violation of HIPAA Rules because she has no legal right to have those information. But, HHSC hasn’t provided details about the sent paperworks to Ryans and if the incident was a case of accidental violation of HIPAA Rules.

HHSC is currently investigating the incident and has submitted a potential privacy breach report to the Office of Inspector General. If the investigation confirms exposure of patients’ sensitive information and violation of HIPAA rules, HHSC will take the necessary steps to mitigate the risks and will notify individuals whose information was impacted.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA