Tracy Ryans got mail — straight from the Texas Health and Human Services Commission, including a box full of state assistance application forms with hundreds of people’s social security card numbers, green card certificates, billing statements, check stubs and photocopies of driver’s licenses.
HHSC wasn’t supposed to have sent them.
Just weeks ago Ryans, 51, was fired from the agency after nine years for allegedly not securing client information protected by the federal Health Insurance Portability and Accountability Act, or HIPAA. She denies the accusation.
It now appears the agency might have done something similar by mailing her a box full of private client information.
“I didn’t know what to do with it,” Ryans said of the box. “The only thing that was going through my mind was, ‘This is a violation,’ because I don’t know what to do with this stuff.”
Two boxes were waiting on her front porch in Houston last Wednesday. One contained items from the desk she had shared with other HHSC workers — old shoes, pens, a coffee cup — none of which were hers. The other had the benefit applications alongside copies of personal information. Ryans left the agency on March 29. The files were dated April 13.
Now worried the agency would say she took the files, Ryans called the Texas State Employees Union for help and spoke with an attorney.
“Once I opened it I left it in there, I didn’t want to pull it out or anything,” Ryans said. “I was like, ‘This is unusual,’ and they said, ‘Well, how many pieces do you think it is? Like five pieces, 15 pieces?’ I’m like, ‘No, it’s a stack, it’s a box.’”
The agency let Ryans know that she had no legal right to have the files they had sent her, or to the information in them, and that they could arrange for someone to stop by her house to get the box.
Ryans and a union representative returned the files to the commission Wednesday.
“You tell me I’ve been in violation of HIPAA, but then y'all turn around and send me something and do the same thing that I’ve never done,” Ryans said of the agency.
Kelli Weldon, a spokesperson for HHSC, confirmed in an email statement that the files were returned and that the matter has been referred to the Office of the Inspector General, the agency’s anti-fraud unit. She said if there has been a HIPAA breach, “we will take all necessary steps to remedy it.” She noted that the agency trains employees and contractors on how to protect confidential information.
“The results of an investigation determine what disciplinary actions, mitigation measures, notices to affected individuals and other steps in response to the incident are appropriate,” Weldon said.
The agency could not immediately say whether its misdelivery of the files constituted a violation of federal health privacy laws.
Jamie Sorley, a privacy attorney in Dallas, said it’s unclear whether there was a HIPAA violation, since it hasn’t been confirmed there was any health care information in the files. She said the HHSC clients potentially affected — when they find out who they are — should monitor their financial accounts and credit reports for suspicious activity.
“Good data security practices require organizations to safeguard sensitive information and require employers to terminate an employee’s access to information when the employee no longer requires such access to perform her job,” Sorley said.
“How do things like this happen?” said Myko Gedutis, an organizer with the Texas State Employees Union.
He pointed to an incident last year when the agency revealed that 1,842 people in Houston had their private information compromised when a box of forms — including names, mailing addresses, social security numbers, health information and bank account numbers — was left beside a dumpster.
For now, with the boxes returned to HHSC, Ryans is job hunting. She said she had liked helping HHSC clients fill out applications and get the help they needed with food assistance and Medicaid, the joint health insurance program for the poor and disabled.
“When you work there as long as I have, some of the clients became accustomed to me,” Ryans said. “That was the plus about the job, especially when people come in and they get up on their feet and say, ‘I don’t have to come and fill out this form no more’... You have your positive moments, and you try to help them. That was the joy of the job.”
This article originally appeared in The Texas Tribune.
