AUSTIN (KXAN) – After a large amount of files containing state documents – and possibly sensitive health information for nursing home residents – went missing earlier this year, Texas Health and Human Services Commission determined that the files never went away.
A state employee from HHSC’s regulatory division came to KXAN and raised concerns, after receiving an email in October alerting them to the missing files. The employee said he routinely processes long-term care home residents’ personal information and other private details in their investigations, from names and Social Security numbers to prescriptions and medical information.
“Anything you could want to take control of someone’s life,” they said. “Worst case scenario: Files have been deleted and information has been scanned and distributed to the wrong people. It was my first thought.
An incident report from the Austin Police Department shows that a detective was initially investigating the incident as theft from one of their north Austin offices in late September. The HHSC said it reported the missing documents to the DPA and the Inspector General’s Office on October 18.
When KXAN investigators requested an update on the case this week, a spokesperson for HHSC said the location of the documents had been identified and had in fact never gone missing.
“After a thorough internal review, HHSC determined that these regulatory records were still in the possession of our staff and that no information was released to the public or any other entity,” the spokesperson said.
She explained that the documents initially appeared to have been misplaced because they had not been returned to the office for timely storage and retention, which agency policy requires.
“We believe this delay is due in part to the high volume of COVID-related investigations that field staff were conducting at long-term care facilities in the region,” the spokesperson said.
The spokesperson said he had taken appropriate action for staff and sent a note and reminded his staff of the records retention and storage policy. However, the agency failed to notify long-term care facilities in the state as they would have in the event of a privacy breach.
In 2019, HHSC was fined $ 1.6 million by the Federal Office of Civil Rights for allowing the private health information of certain patients to be viewed online publicly, including names, addresses, telephone numbers. social security and treatment information. The information was discovered after the Texas Department of Aging and Disability Services filed a report of a data breach.
The state employee who reported the initial investigation to KXAN said the incident raised other security questions about the agency. They were particularly concerned about the security of documents in the possession of teleworkers
“Often the elderly in these homes do not have a lawyer to speak on their behalf, and we have to be that lawyer,” they said.
Amanda Fredriksen, director of advocacy at AARP Texas, was unable to speak to this particular incident, but said vulnerable information of seniors is often the target of scams and fraudulent activity.
“To access Medicaid, they had to give out a lot of information that we tell people not to share, but they don’t have a choice,” she explained of the benefits program serving approximately two-thirds of nursing home residents.
So, she said, sharing this kind of information comes with a level of trust in the facilities, agencies and programs responsible for managing it.
“As a consumer, you have the right to ask: how are they going to protect this information? What actions are they taking? Said Fredriksen.
The HHSC said it has security procedures and protocols in place to protect sensitive information, but does not publicly discuss security processes.
He said all records containing confidential information, personally identifiable information, sensitive personal information or protected health information are kept, transported and disposed of in a manner that is secure and in accordance with federal and state laws. When an employee leaves or is transferred from the agency, his supervisor is responsible for obtaining the state records of his former employee’s possession.
Its spokesperson said: “We continually review our security measures, and when we identify ways to strengthen and improve them, we do so.”