HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

American Family Care Announces 7200-Patient PHI Breach

Birmingham, AL-based healthcare provider, American Family Care, has alerted 7,200 patients to a breach of protected health information that was caused as a result of a third party software error.

An unauthorized individual gained access to systems used to store ePHI on multiple occasions over a period of 10 months. Affected individuals had a limited amount of PHI exposed on CDs containing X-ray images that were provided to patients.

American Family Care conducted a thorough investigation and determined that there was a fault with the design and installation of third party software which resulted in the PHI of patients being exposed.

No Social Security numbers, medical information, Driver’s license numbers, or insurance information were exposed, although affected patients did have their name, medical record number, date of birth, and gender exposed as a result of the error.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breaches of PHI occurred at four American Family Care Clinics: AFC Smyrna in Tennessee, and AFC’s Alabaster, Flintridge, and Wetumpka clinics in Alabama. Affected patients had visited the clinic between August 26, 2015 and June 14, 2016.

In accordance with the HIPAA Breach Notification Rule, all affected patients have been sent breach notification letters by mail to advise them of the privacy breach. The software error has now been corrected and policies and procedures have been updated to prevent further breaches of this nature from occurring.

The PHI breach highlights how important it is to conduct a comprehensive risk assessment covering all systems that come into contact with ePHI. Those risk assessments should also include third party software. In June, the Department of Health and Human Services issued a warning about the risk of PHI exposure from third party software applications.

The warning was issued after it was discovered that security issues with third party applications appeared to be on the rise. In spite of the risks, OCR warned that fewer than one in five companies performed verification on third party software.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.