So this is a bit unusual. Advanced Spine & Pain Center in San Antonio notified its patients on September 25 following two concerning events that may or may not be related. The first involved some patients receiving phone calls asking them to pay outstanding balances. As part of investigating that incident, ASPC discovered that their server had been accessed. But were the two things related to each other or coincidental? It wasn’t clear, it seems. The following is their notification from September 25, 2017. According to their submission to HHS, they had 8,362 patients potentially affected:
SAN ANTONIO – Advanced Spine & Pain Center (ASPC) notified patients of a security incident that took place earlier this summer.
ASPC began investigating a possible security incident on July 31, 2017 after learning that some patients were being contacted and asked to pay an outstanding balance by an unknown person. As part of its investigation, ASPC discovered that its server was accessed by one or more unauthorized users.
Recent monitoring of the network did not identify any unauthorized users accessing its network. Analysis of the server was inconclusive when trying to determine if any private information was accessed. Also, it could not be determined whether this incident was linked with the initial security incident involving telephone calls to a limited number of patients.
Information potentially affected by this incident includes demographic information to include name, address, Social Security Number, date of birth, state, zip code, telephone, and gender; medical information to include medical records, labs, x-rays, and scheduling notes; and billing information to include primary insurance, CPT codes, phone, ID number, and Group number. However, potentially affected information did not include financial or payment information to include credit card or bank account information.
APSC recently sent letters to those patients whose private information may have been affected by this incident. ASPC is offering those patients who were potentially affected identity theft protection services through ID Experts®, which includes twelve months of credit monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials, and fully managed ID theft recovery services. APSC encourages patients to take appropriate measures to protect their credit information and to contact ID Experts with any questions. More information can be found in the letter provided to affected patients.
A variety of security measures were in place before this incident, including network filtering and security monitoring, firewalls, antivirus software and password protection. Upon learning of the initial security incident, ASPC made a police report and contacted the FBI. It also conducted an internal investigation of its server and computer network. The practice also is taking appropriate measures to secure its network. Its investigation is ongoing, and patients will be notified of any significant developments at the practice’s website.
ASPC takes its patients’ privacy and the security of information very seriously and regrets any inconvenience this may have caused. Patients should call 1-866-537-1672 for assistance or with any additional questions. Patients can also check ASPC’s website, http://advancedspineandpaincenter.com, for updated information.