HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Arkansas Spine & Pain Informs Patients About Bizmatics Security Breach

Little Rock, AR-based Arkansas Pain and Spine is the latest healthcare provider to alert its patients that their protected health information was potentially viewed and copied during the Bizmatics data breach in 2015.

In May, healthcare organizations who used the PrognoCIS EMR management tool were notified that patient data have potentially been accessed as a result of a malware infection on a Bizmatics server. The malware was understood to have been loaded on the server in January 2015, but the infection was not discovered until late 2015.

Healthcare organizations have up to 60 days to notify patients who have had their PHI exposed. Over the past couple of months, affected healthcare organizations have been sending out breach notifications. Arkansas Pain and Spine was informed on May 12, 2016 that some of its patients had been affected by the security breach.

Patients potentially had their names, dates of birth, addresses, health insurance information, Social Security numbers, and other clinical information exposed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Bizmatics contracted an external cybersecurity firm to assist with the forensic investigation to determine whether clients’ data were accessed, viewed, or copied. That investigation revealed that access to data was possible, but it was not clear whether any patient data were accessed during the time that malware was installed. No evidence was uncovered to suggest that Arkansas Pain and Spine patients’ data were accessed but the possibility could not be ruled out.

The incident has not yet appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal so it is unclear how many of the pain and Spine clinic’s patients were affected. In total, more than 265,000 individuals have been affected by the Bizmatics breach. The final total could exceed 300,000.

In the past few days, a further entry has appeared on the Office for Civil Rights breach portal. St. Louis, MO-based Laser & Dermatologic Surgery Center experienced a hacking/IT incident involving a network server that exposed the data of 31,000 patients. No breach notice has been placed on the healthcare provider’s website to indicate how the network server security breach occurred. Laser & Dermatologic Surgery Center could be another victim of the Bizmatics data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.