Share this article on:
Birmingham, AL-based healthcare provider, American Family Care, has alerted 7,200 patients to a breach of protected health information that was caused as a result of a third party software error.
An unauthorized individual gained access to systems used to store ePHI on multiple occasions over a period of 10 months. Affected individuals had a limited amount of PHI exposed on CDs containing X-ray images that were provided to patients.
American Family Care conducted a thorough investigation and determined that there was a fault with the design and installation of third party software which resulted in the PHI of patients being exposed.
No Social Security numbers, medical information, Driver’s license numbers, or insurance information were exposed, although affected patients did have their name, medical record number, date of birth, and gender exposed as a result of the error.
The breaches of PHI occurred at four American Family Care Clinics: AFC Smyrna in Tennessee, and AFC’s Alabaster, Flintridge, and Wetumpka clinics in Alabama. Affected patients had visited the clinic between August 26, 2015 and June 14, 2016.
In accordance with the HIPAA Breach Notification Rule, all affected patients have been sent breach notification letters by mail to advise them of the privacy breach. The software error has now been corrected and policies and procedures have been updated to prevent further breaches of this nature from occurring.
The PHI breach highlights how important it is to conduct a comprehensive risk assessment covering all systems that come into contact with ePHI. Those risk assessments should also include third party software. In June, the Department of Health and Human Services issued a warning about the risk of PHI exposure from third party software applications.
The warning was issued after it was discovered that security issues with third party applications appeared to be on the rise. In spite of the risks, OCR warned that fewer than one in five companies performed verification on third party software.