What is the Texas Data Breach Wall of Shame?

In 2009, the Department of Health and Human Services’ (HHS) Office for Civil Rights decided that tough HIPAA enforcement measures were required. So, OCR came up with what is known as the HIPAA “Wall of Shame” – a website listing breaches of unsecured protected health information affecting 500 or more individuals. Entities that suffer these large breaches must provide OCR with the name of their business, the state they operate in, how many individuals were affected by the breach, when the breach was reported, and the type of breach. OCR then takes this information and places it on the Wall, which is publicly accessible. Texas recently decided that shaming at the state level is important, too. A recent amendment to the Texas Identity Theft Enforcement and Protection Act requires the state attorney general to create a Texas Wall of Shame for entities reporting large data breaches. Details about the Texas data breach wall of shame are provided below.

What is the Texas Data Breach Wall of Shame and How Do I End Up on the List?

Texas Data Breach Wall of Shame

In early June of 2021,Texas Governor Greg Abbott signed into law HB 3746, which amends the state’s data breach notification law. That law, known as the Texas Identity Theft and Enforcement Protection Act (TITEPA), requires that businesses incurring a data breach notify the Texas Attorney General if the breach involves at least 250 residents of Texas. 

Under Texas law, a “data breach” is a breach of “sensitive personal information.” Sensitive personal information includes (among other things) protected health information under HIPAA.

Discover the Benefits of Combining Your Federal and Texas HIPAA Compliance in One Place

Before HB 3746 was signed into law, entities that sustained a breach affecting at least 250 Texas residents were required, within 60 days of the breach, to provide the Texas Attorney General with the following:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach; and
  • The number of Texas residents affected by the breach at the time of notification.

Businesses were also required to notify consumers who were affected by the beach, by providing a notice that contained:

  • The measures taken by the business regarding the breach; and
  • Any measures the business intended to take regarding the breach after providing the notice.

HB 3746 retains these requirements, and adds new ones. Under HB 3746, Texas businesses who sustain breaches involving at least 250 residents must now provide the Texas Attorney General (AG) with the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication.

In addition, HB 3746 requires the AG to post, on its publicly accessible website, a listing of all notifications that businesses were already required to provide. In other words, as of September 1, 2021 (the effective date of the law), the AG’s website must contain a list of notifications of breaches affecting 250 or more individuals. Each notification can be publicly viewed.

Let’s Simplify Compliance

Texas healthcare law and HIPAA all in one place!

Learn More!
HIPAA Seal of Compliance

The following details of each notification can also be publicly viewed: