On November 7, OCR announced that it had settled with the Texas Health and Human Services Commission (HHSC) for $1.6 million, to resolve HIPAA violations that occurred between 2013-2017. In 2015, the Texas Department of Aging and Disability Services, now the HHSC, filed a breach report with OCR, stating that ePHI, including treatment information and social security numbers, of 6,617 patients had been viewable over the internet. The breach occurred when the information was transferred from a private server to a public one, which contained a flaw in the software code. Because of inadequate audit controls, the agency could not determine how many unauthorized persons accessed the unprotected ePHI.