Server Breach Affects Over 8,000 Patients at ASPC


The Advanced Spine & Pain Center (ASPC) has announced that it has experienced a potential breach and unauthorized use of their protected health information. The organisations-based in San Antonio, Texas, has notified as many as 8,362 of their patients that they have been affected by the incident.


ASPC became aware of a potential breach of ePHI on July 31, 2017 when some patients reported receiving a telephone call claiming payment for an outstanding bill was required. An investigation was launched to determine whether ASPC systems had been breached, and patient contact information access by an unauthorised individual.


That investigation revealed unauthorized individuals had gained access to an ASPC server, despite the extensive protections the CE had on their servers, which included firewalls, network filtering, security monitoring, password protection, and antivirus software. In The accordance with HIPAA legislation, the incident has been reported to law enforcement and the Department of Health and Human Services’ Office for Civil Rights has been notified.


While unauthorized access was confirmed, it was unclear whether any sensitive information was accessed by those individuals. It was also not possible to determine whether the telephone calls received by some patients were linked to the security breach.


Since it is possible that patients’ ePHI was viewed or obtained by unauthorized individuals, ASPC has offered all affected patients identity theft protection services and coverage with a $1,000,000 insurance reimbursement policy. A full network scan has been conducted and steps have been taken to ensure the network is secured.


Since the attack, the network had been monitored for any evidence of continued unauthorised use, but none was uncovered. The breach is believed to have been contained, and patient ePHI is now secure.


An analysis of the compromised server has shown the following PHI may have been viewed: Names, addresses, telephone numbers, state and zip codes, Social Security numbers, birth dates, medical records, x-ray images and lab test results, scheduling notes, billing information, insurance information, CPT codes, ID numbers, group numbers, and patients’ gender. No payment information or credit/debit cards were compromised.