HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

1400 Healthcare Organizations Notified of American College of Cardiology Privacy Breach

1,400 organizations have been notified that patient data supplied to the American College of Cardiology (ACC) via the national cardiovascular data registry has been inadvertently disclosed to a third party vendor. While the total number of affected patients has not yet been disclosed, almost 100,000 individuals are understood to have been affected.

Participating healthcare organizations enter patient data into the ACC-maintained registry and use the database to measure and improve the cardiovascular care provided to patients.

The ACC employed a software development company to redesign the registry and supplied 250 tables of fabricated patient data to populate the database for testing purposes. However, one of the tables supplied to the vendor contained real patient data including names, dates of birth, internal patient ID numbers, and Social Security numbers.

The data were supplied to the vendor at some point between 2009 and 2010, although the improper disclosure was not discovered until December 2015. The ACC notified all affected institutions in February and supplied them with documentation on the ACC investigation.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The ACC has not disclosed details of the organizations that were affected due to confidentiality agreements, although one of the institutions is the Sacred Heart Health System, based in Pensacola, FL.

Sacred Heart was notified of the breach on February 16, 2016 and issued breach notifications to 532 patients on April 11. Sacred Heart was not the worst affected, but had supplied more patient data than most of the 1,400 affected organizations. ACC spokesperson Beth Casteel said the average number of patients per institution was under 70.

The software development company was unaware that one of the tables contained real patient data, and the ACC has no reason to believe that any protected health information was disclosed to anyone other than employees of the software development company and its trusted vendors.

On discovery of the privacy breach the ACC terminated the vendor’s access to data and obtained an attestation stating that all patient data have been destroyed and that no copies exist. The software development company also attested that data were only ever used in relation to the work carried out for the ACC.

Prior to the discovery of the PHI disclosure the ACC had introduced new security controls to better protect patient data. Additionally, Casteel said, “we continue to update security processes and monitoring to ensure best practices are followed for protecting patient data.”

Sacred Heart has informed affected patients that ACC found no evidence of any inappropriate use of patient data. Patients were advised to regularly review their credit card statements, credit reports, and bank statements to check for any irregular activity as a precaution against identity theft and fraud.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.