Texas Drops Xerox Breach LawsuitIncident Still Listed as One of Largest Breaches on HHS Tally
The Texas Health and Human Services Commission has dropped a lawsuit that it filed last year against Xerox Corp. related to a dispute over Medicaid records containing protected health information.
But the incident is still listed on the official "wall of shame" federal tally of major health data breaches, which refers to it as involving "unauthorized access/disclosure" in violation of HIPAA. And with 2 million individuals affected, it ranks as the fourth largest breach on the tally compiled by the Department of Health and Human Service's Office for Civil Rights (see Biggest Health Data Breaches In 2014).
An OCR spokeswoman declined to comment on whether the lawsuit dismissal by Texas will have any impact on the status of the breach listing on its tally.
A Texas HHSC spokeswoman tells ISMG that the state agency dropped the data dispute lawsuit against Xerox on Feb. 9 "after the state and Xerox reached an agreement for protecting the confidential information." She notes, however, that the state can bring legal action "if the agreement is violated."
The dispute arose when the state of Texas in May 2014 notified Xerox that it was terminating a contract under which Xerox provided administrative services for the state's Medicaid program. The state cancelled its contract with Xerox, alleging the company inappropriately authorized orthodontic braces that were not medically necessary for thousands of Medicaid patients (see Breach Reported After Vendor Dispute).
In August, after the transition to a new Medicaid vendor, the Texas commission filed a data-related lawsuit against Xerox, alleging that the contractor had failed to turn over computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals, "putting the state out of compliance with federal regulations and at risk of massive federal fines," says a statement issued by Texas HHSC in August.
However, in September, following a court hearing, the state and Xerox reached an agreement for the vendor to retain the disputed documents and data until a hearing that was slated for January. Texas HHSC told ISMG in December that the state "believes there was a low risk that client information was compromised and that the information will be protected" by Xerox.
Xerox, in a statement provided to ISMG, says: "From the outset, Xerox maintained that any claim that client information was compromised in any way was unfounded. Xerox takes data security seriously and is in the vanguard of protecting our clients' business information around the world. Xerox has maintained and will continue to maintain the required data protection measures around all sensitive information to ensure the data's integrity."
A Xerox spokesman says the company "continues to retain the material under strict security protocols and measures. ... The material included proprietary material, such as our HR files for our employees and internal company records and files."
In addition to data still in physical possession of Xerox, "some of the information is in the physical custody of the court," the Texas HHSC spokeswoman explains.
Although the state dropped the lawsuit against Xerox related to the data dispute, another lawsuit focusing on the issue of inappropriately authorized services for Medicaid patients is still pending.