25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

American Family Care Announces 7200-Patient PHI Breach

Posted By on Aug 1, 2016

Birmingham, AL-based healthcare provider, American Family Care, has alerted 7,200 patients to a breach of protected health information that was caused as a result of a third party software error.

An unauthorized individual gained access to systems used to store ePHI on multiple occasions over a period of 10 months. Affected individuals had a limited amount of PHI exposed on CDs containing X-ray images that were provided to patients.

American Family Care conducted a thorough investigation and determined that there was a fault with the design and installation of third party software which resulted in the PHI of patients being exposed.

No Social Security numbers, medical information, Driver’s license numbers, or insurance information were exposed, although affected patients did have their name, medical record number, date of birth, and gender exposed as a result of the error.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The breaches of PHI occurred at four American Family Care Clinics: AFC Smyrna in Tennessee, and AFC’s Alabaster, Flintridge, and Wetumpka clinics in Alabama. Affected patients had visited the clinic between August 26, 2015 and June 14, 2016.

In accordance with the HIPAA Breach Notification Rule, all affected patients have been sent breach notification letters by mail to advise them of the privacy breach. The software error has now been corrected and policies and procedures have been updated to prevent further breaches of this nature from occurring.

The PHI breach highlights how important it is to conduct a comprehensive risk assessment covering all systems that come into contact with ePHI. Those risk assessments should also include third party software. In June, the Department of Health and Human Services issued a warning about the risk of PHI exposure from third party software applications.

The warning was issued after it was discovered that security issues with third party applications appeared to be on the rise. In spite of the risks, OCR warned that fewer than one in five companies performed verification on third party software.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist