Civil Monetary Penalties (CMP) are rare compared to their more common Corrective Action Plan cousins, and to see a second recent Texas healthcare entity at the bitter end of a CMP is a terrible coincidence. The Texas Health and Human Services Commission accepted a $1.6M penalty for disclosing ePHI after an internal software program was moved from one server onto another. Surprisingly, OCR's investigation did not fault Texas Health and Human Services Commission for failing to perform an evaluation in support of a "...response to environmental or operational changes affecting the security of electronic protected health information..." (ref: 164.308(a)(8)). But OCR did conclude Texas Health and Human Services Commission failed to:
conduct an enterprise-wide risk analysis, and
implement access and audit controls on its information systems and applications. To this point, Texas Health and Human Services Commission could not report how many people were affected by the breach.
We've seen lackluster public entity compliance programs and remain surprised as such, given that this isn't the first OCR action against a government organization.