HHSC Notifies Public Regarding Privacy Breach

AUSTIN – The Texas Health and Human Services Commission is notifying recipients of agency services and other affected individuals that their protected health, personal identifying information or sensitive personal information may have been inappropriately accessed, used or disclosed.

On Nov. 21, 2024, HHSC learned the account information and personal identifying information of at least 61,000 individuals may have been improperly accessed by agency employees. HHSC took immediate steps to mitigate the breach by terminating the employees involved and referring the incident to the Texas Health and Human Services Office of Inspector General (OIG) for investigation and coordination with prosecutor offices to pursue criminal charges.

HHSC recommends that affected individuals carefully review their accounts and health care provider, insurance company, and financial institution statements to make sure their account activity is correct. Report any questionable charges promptly to the provider or company and contact law enforcement.

HHSC advises Supplemental Nutrition Assistance Program (SNAP) recipients to check their Lone Star Card transactions for potential fraudulent activity at YourTexasBenefits.com or through the Your Texas Benefits mobile app. Recipients who believe they may have been a victim of SNAP fraud should call 2-1-1, select a language, and choose option 3 to report the fraud to the OIG. They should also contact law enforcement to report the fraud and visit a local HHSC benefits office to have their benefits replaced. 

The agency is still determining the impact of the privacy breach on other HHSC programs.

HHSC is offering two years of free credit monitoring and identity theft protection services to those affected by the breach. Individuals affected by the breach will be notified via first-class mail no later than Jan. 20, 2025. They can also call 866-362-1773, toll-free, Monday through Friday from 8 a.m. to 8 p.m. CST (excluding major U.S. holidays). When calling, use the engagement number B138648.

HHSC is strengthening internal security controls and working to implement additional fraud prevention measures, including enhanced monitoring and alerts to detect suspicious activity.

The data that may have been inappropriately accessed, used or disclosed were not the same for everyone. HHSC has determined full names, home addresses, telephone numbers, dates of birth, email addresses, Social Security numbers, Medicaid and Medicare Identification numbers, financial, employment, banking, benefits, health, insurance, medical, certificate, license and other personal information may have been inappropriately accessed between June 2021 and December 2024. For people affected, read these FAQs (PDF).

As the agency’s internal review continues, additional affected individuals identified will be notified. Employees involved in similar inappropriate and illegal conduct will be terminated and referred to the appropriate authorities.

HHSC understands the impact this privacy breach may have and is committed to protecting the confidential information of those we serve.