AUSTIN (KXAN) — After a large amount of files containing state documents — and possibly sensitive health information for nursing home residents — were believed to be missing earlier this year, the Texas Health and Human Services Commission determined the records were never missing.
A state employee of HHSC’s regulatory division came to KXAN and shared their concerns, after getting an email in October alerting them to the missing files. The employee said they regularly deal with long-term care residents’ personal information and other private details in their investigations, from names and Social Security numbers to prescriptions and medical information.
“Anything you could possibly want to take over somebody’s life,” they said. “Worst case scenario: the files were removed, and the information was scanned and disseminated to the wrong people. That was my first thought.”
An Austin Police Department incident report shows a detective was initially investigating the incident as a theft from one of their offices in north Austin at the end of September. HHSC said it reported the missing documents to APD and the Office of the Inspector General on Oct. 18.
When KXAN investigators asked for an update on the case this week, a spokesperson for HHSC said the documents’ location had been identified, and they were actually never missing.
“After thorough internal review, HHSC determined these regulatory records were always within our staff’s possession, and no information was disclosed to the public or any other entity,” said the spokesperson.
She explained the documents initially appeared to have been misplaced, because they were not returned to the office for storage and retention in a timely manner, which the agency’s policy requires.
“We believe this delay occurred, in part, due to the high volume of COVID-related investigations that field staff were conducting in area long-term care facilities,” said the spokesperson.
The spokesperson said they took the appropriate personnel action and sent out a memo and reminded their staff of the records retention and storage policy. However, the agency did not notify the state’s long-term care facilities as they would have in the case of a privacy breach.
In 2019, HHSC was fined $1.6 million by the federal Office for Civil Rights for allowing the private health information for some patients, including names, addresses, social security numbers and treatment information, to be viewed publicly online. The information was discovered after the Texas Department of Aging and Disability Services filed a report about a data breach.
The state employee who reported the initial investigation to KXAN said the incident raised other security questions about the agency. In particular, they worried about the security of documents in the possession of remote workers
“A lot of times elderly in these homes don’t have an advocate to speak for them, and we have to be that advocate,” they said.
Amanda Fredriksen, director of advocacy at AARP Texas, couldn’t speak to this incident in particular, but she said elderly peoples’ vulnerable information is often the target of scams and fraudulent activity.
“To get on Medicaid, they had to give a lot of the information we tell people not to share, but they have no choice,” she explained of the benefits program serving roughly two-thirds of nursing home residents.
So, she said sharing that kind of information comes with a level of trust in the facilities, agencies and programs tasked with managing it.
“As a consumer you have a right to ask: how are they going to protect that information? What steps are they taking?” Fredriksen said.
HHSC said it has security procedures and protocols in place to protect sensitive information but does not discuss security processes publicly.
It said any records containing confidential information, personally identifiable information, sensitive personal information or protected health information are maintained, transported and disposed of in way that protects them and in accordance federal and state law. When an employee leaves or transfers from the agency, their supervisor is responsible for getting the state records from their former employee’s possession.
Its spokesperson said, “We continually review our security measures, and when we identify ways to strengthen and improve them, we do so.”