BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Medicaid Computers stolen from Texas City Tx

From: "Mark Simon" <msimon2 () eclipsecurityllc com>
Date: Mon, 10 Mar 2008 10:00:42 -0500
No one should be too surprised that the Texas Health and Human Services Commission isn't likely to alert Medicaid 
clients of its uncertainty concerning the possible misappropriation of social security numbers.

A recent change in Texas law makes the protection of social security numbers optional for state agencies,* unlike most 
states where public policy mandates the safeguard of social security numbers from public display or disclosure.  
Effective March 28, 2007, Tex. Gov't Code Sec. § 552.147[0] provides in pertinent part, "The social security number of 
a living person is ...  not confidential under this section and this section does not make the social security number 
of a living person confidential under another provision of this chapter or other law."  

Notwithstanding Texas law, HIPAA's Privacy Rule protects the confidentiality of Medicaid client social security 
numbers.  "The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually 
identifiable health information where that information is held by a covered entity or by a business associate of the 
covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a 
specific exception applies. These exceptions include if the State law (1) relates to the privacy of individually 
identifiable health information and provides greater privacy protections or privacy rights with respect to such 
information, (2) provides for the reporting of disease or injury, child abuse, birth, or death, or for public health 
surveillance, investigation, or intervention, or (3) requires certain health plan reporting, such as for management or 
financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the 
Privacy Rule."  Source: U.S. Department of Health and Human Services, FAQ "Does the HIPAA Privacy Rule preempt State 
laws?" at http://www.hhs.gov/hipaafaq/state/399.html.


* Texas continues to require businesses to safeguard social security numbers in Tex. Bus. & Com. Code § 35.58  (2007).
 

--
Mark S. Simon, Director of Regulatory Compliance Consulting 
Eclipsecurity, LLC
Mobile: (224) 612-3101
Office: (847) 850-5088
Toll Free: (877) 369-5331

www.eclipsecurityLLC.com


Lock-in success.  Because information travels...


The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized 
use, dissemination of the information or copying of this message is prohibited. If you are not the intended addressee, 
please notify the sender immediately and delete this message. 

 


-----Original Message-----
From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Henry Brown
Sent: Monday, March 10, 2008 6:44 AM
To: dataloss () attrition org
Subject: [Dataloss] Medicaid Computers stolen from Texas City Tx


From the Galveston County Daily News

http://tinyurl.com/2owkkl

TEXAS CITY - Sensitive information that could be used to steal Medicaid clients' identity may have been stored on two 
computers stolen during a burglary, officials said Friday.

Texas City police were called to investigate an overnight burglary Wednesday morning at the Texas Department of Health 
and Human Services at 714 Loop 197 N.
[...]

Stephanie Goodman, a spokeswoman with Texas Health and Human Services, said the computers could have contained personal 
information only on e-mails.

The e-mails, however, would normally contain only an individual's case number, she said. It is unlikely those e-mails 
would have listed Social Security numbers, she said.

"I can't say 100 percent that it wouldn't be on e-mails, but that would be the only way to have access to anything," 
Goodman said.

The state isn't likely to alert Medicaid clients about the incident, Goodman said.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan 
your network and monitor your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: