25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach

Posted By on Oct 17, 2017

The San Antonio, TX, Advanced Spine & Pain Center (ASPC) has notified patients of a potential breach and unauthorized use of their protected health information. Potentially, as many as 8,362 patients have been affected by the incident.

ASPC became aware of a potential breach of ePHI on July 31, 2017 when some patients reported receiving a telephone call claiming payment for an outstanding bill was required. An investigation was launched to determine whether ASPC systems had been breached.

That investigation revealed unauthorized individuals had gained access to an ASPC server. Unauthorized access occurred even though extensive protections had been put in place, including firewalls, network filtering, security monitoring, password protection, and antivirus software.

While unauthorized access was confirmed, it was unclear whether any sensitive information was accessed by those individuals. It was also not possible to determine whether the telephone calls received by some patients were linked to the security breach.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Since it is possible that patients’ ePHI was viewed or obtained by unauthorized individuals, ASPC has offered all affected patients identity theft protection services and coverage with a $1,000,000 insurance reimbursement policy. A full network scan has been conducted and steps have been taken to ensure the network is secured. Recent monitoring of the network has not uncovered any evidence of continued unauthorized access, and the breach is believed to have been contained.

An analysis of the compromised server has shown the following PHI may have been viewed: Names, addresses, telephone numbers, state and zip codes, Social Security numbers, birth dates, medical records, x-ray images and lab test results, scheduling notes, billing information, insurance information, CPT codes, ID numbers, group numbers, and patients’ gender. No payment information or credit/debit cards were compromised.

The incident has been reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights has been notified.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist