A contractor employee was caught improperly accessing personal data during a broader investigation into a Texas health department breach, raising new concerns about third-party oversight.
What happened
A secondary data breach was uncovered during the Texas Health and Human Services Commission’s (HHSC) investigation into unauthorized access of federally protected information earlier this year. During the prob of a privacy incident affecting up to 61,000 Texans, investigators identified a contractor employee from Maximus US Services, an IT firm supporting state agencies, who had also accessed protected personal data without authorization.
The discovery comes as part of an ongoing investigation that began in late 2024, initially focused on suspected fraud related to programs like SNAP (food stamps) and public medical assistance.
Going deeper
The original breach, announced in January 2025, revealed that state employees had improperly accessed personal records tied to government benefit programs. The agency issued a warning to residents to monitor their Lone Star Card transactions and offered two years of free identity theft protection.
While assessing the full impact, HHSC notified Maximus, an agency contractor since 2007 and a HIPAA business associate, of suspicious activity involving one of its employees. The individual was allegedly “improperly using personal information” from HHSC systems. Upon notification, Maximus revoked the employee’s access and confirmed that the worker was no longer employed with the company.
Although this contractor breach appears more limited in scope than the broader HHSC incident, it still raises serious concerns about third-party access and oversight of sensitive health and benefit data.
What was said
A Maximus spokesperson told MySA: “The Texas Health and Human Services Commission notified Maximus that one of our workers was suspected of improperly using personal information from the HHSC’s systems. Maximus promptly terminated the worker’s system access and began to investigate. The employee no longer works with Maximus.”
The company stated that it believes the incident was isolated, and it continues to cooperate with HHSC’s Office of Inspector General. As a precaution, Maximus is offering two years of credit monitoring, identity restoration, and fraud detection through Experian.
The big picture
The breach proves the risks associated with contractor access to sensitive government systems, especially in sectors like public health and benefits administration, where vast amounts of personal data are involved. Even when a breach is attributed to a single individual, the implications for data privacy and public trust are substantial.
As government agencies increasingly rely on third-party vendors for IT and operational support, incidents like this underline the need for stringent access controls, better oversight, and stronger breach detection systems to prevent unauthorized data exposure, no matter the source.
FAQs
Why is third-party access such a risk for government agencies?
Contractors often have broad access to sensitive systems but may not be subject to the same oversight as internal employees, increasing the risk of misuse.
What is HHSC doing to hold contractors accountable?
HHSC is investigating the incident with its Office of Inspector General and reviewing the contractor’s role, responsibilities, and compliance protocols.
Could other agencies or states be affected by similar contractor risks?
Yes, any public agency relying on third-party vendors for IT or admin functions faces similar risks unless strict access controls and audits are enforced.
How can individuals know if their data was affected?
HHSC typically notifies affected individuals directly and recommends monitoring benefit transactions and credit activity for suspicious behavior.
What are the signs that your personal data might be misused?
Unexpected benefit denials, strange transactions, credit report changes, or unsolicited account notices can all indicate potential data misuse.
Farah Amod
