Last July 31, 2017, Advanced Spine & Pain Center (ASPC) became aware of a potential breach and unauthorized use of patients’ protected health information. About 8,362 patients who might be affected by what happened got notifications of the potential breach. ASPC also sent a notification of the incident to the Department of Health and Human Services Office for Civil Rights and the law enforcement.
According to some patients, they received a telephone call from someone who was asking them to pay for an outstanding bill. After hearing these reports, ASPC immediately launched an investigation to find out if there was indeed a systems breach. The investigation confirmed that there was an unauthorized access to an ASPC server despite the firewalls, password protection, network filtering and antivirus software — the extensive protections put in place. Nonetheless, it’s uncertain what sensitive information the hackers took. There was also no way of telling whether the callers had anything to do with the security breach.
It is ASPC’s responsibility to handle patients’ ePHI with extreme care at all times. Based on the analysis of the compromised server, results showed possible viewing of the following patients’ PHI: names, telephone numbers, addresses, state and zip codes, birthdates, Social Security numbers, medical records, lab test results, x-ray films, schedule notes, billing information, CPT codes, insurance information, ID numbers, and patients’ gender. The good thing is payment or credit/debit cards information was not compromised at all.
Concerning the unauthorized viewing of the patients’ ePHI, ASPC immediately did two things as a response:
- ASPC decided to give affected patients identity theft protection services with as much as $1,000,000 insurance coverage.
- ASPC did a full scan of all systems to check for security issues and fixed the problem.
Since then, regular security monitoring showed no unauthorized system access, which means that the breach has been successfully contained.