[Dataloss] Medicaid Computers stolen from Texas City Tx

Mark Simon msimon2 at eclipsecurityllc.com
Mon Mar 10 15:00:42 UTC 2008 

No one should be too surprised that the Texas Health and Human Services Commission isn't likely to alert Medicaid clients of its uncertainty concerning the possible misappropriation of social security numbers.

A recent change in Texas law makes the protection of social security numbers optional for state agencies,* unlike most states where public policy mandates the safeguard of social security numbers from public display or disclosure.  Effective March 28, 2007, Tex. Gov't Code Sec. § 552.147[0] provides in pertinent part, "The social security number of a living person is ...  not confidential under this section and this section does not make the social security number of a living person confidential under another provision of this chapter or other law."  

Notwithstanding Texas law, HIPAA's Privacy Rule protects the confidentiality of Medicaid client social security numbers.  "The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law (1) relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information, (2) provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or (3) requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule."  Source: U.S. Department of Health and Human Services, FAQ "Does the HIPAA Privacy Rule preempt State laws?" at http://www.hhs.gov/hipaafaq/state/399.html.


* Texas continues to require businesses to safeguard social security numbers in Tex. Bus. & Com. Code § 35.58  (2007).
 

--
Mark S. Simon, Director of Regulatory Compliance Consulting 
Eclipsecurity, LLC
Mobile: (224) 612-3101
Office: (847) 850-5088
Toll Free: (877) 369-5331

www.eclipsecurityLLC.com


Lock-in success.  Because information travels...


The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message. 

 


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Henry Brown
Sent: Monday, March 10, 2008 6:44 AM
To: dataloss at attrition.org
Subject: [Dataloss] Medicaid Computers stolen from Texas City Tx

>From the Galveston County Daily News
http://tinyurl.com/2owkkl

TEXAS CITY - Sensitive information that could be used to steal Medicaid clients' identity may have been stored on two computers stolen during a burglary, officials said Friday.

Texas City police were called to investigate an overnight burglary Wednesday morning at the Texas Department of Health and Human Services at 714 Loop 197 N.
[...]

Stephanie Goodman, a spokeswoman with Texas Health and Human Services, said the computers could have contained personal information only on e-mails.

The e-mails, however, would normally contain only an individual's case number, she said. It is unlikely those e-mails would have listed Social Security numbers, she said.

"I can't say 100 percent that it wouldn't be on e-mails, but that would be the only way to have access to anything," Goodman said.

The state isn't likely to alert Medicaid clients about the incident, Goodman said.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list