The American College of Cardiology (ACC) notified 1,400 institutions that patient data from the National Cardiovascular Data Registry (NCDR) might have been breached.
After discovering the issue in December, the ACC found that four software development vendors who were testing software had access to NCDR patient data, according to the ACC.
The data was copied between 2009 and 2010 and was included in one of more than 250 tables that software developers used in a test environment. According to ACC policy, the tables should not contain protected patient data.
“A small number of developers from contracted companies, all working with the ACC under confidentiality agreements, technically had access to the table,” the ACC said in a statement obtained by Cardiovascular Business. “These developers did not know that the data in the single data table was real; and the ACC’s follow up investigation showed only one vendor, the only vendor with a business reason to use the table, had ever accessed the table with patient data.”
Sacred Heart Health System of Pensacola, Fla., announced on April 12 that it had notified 532 patients that protected health information it provides to the ACC had been inadvertently accessible to a software development company.
Sacred Heart said the ACC had notified the health system on Feb. 16 that names, dates of birth, social security numbers and internal patient identification numbers for 532 patients had been made available to software developers.
“Based on ACC’s investigation, we have no reason to believe that patient information has been used inappropriately,” Genevieve Harper, staff attorney and privacy officer for Sacred Heart Health System, said in a news release. “However, out of an abundance of caution, we have informed the patients of the disclosure so they might take steps to review credit reports and bank accounts for any misuse of their information.”
The ACC said it removed data from the test environment when it learned of the potential breach, notified the 1,400 institutions and told the vendor who accessed the table to destroy copies of any patient data it had obtained.
An average of fewer than 70 patients per institution might have been affected, according to the ACC. The ACC said it complied with HIPAA regulations and contacted each hospital that had patient data in the table and provided them with documentation of the ACC’s investigation.
“The ACC has no reason to believe that anyone other than employees and trusted vendors accessed protected patient data,” the ACC said.
More than 2,400 hospitals and more than 2,000 outpatient providers participate in the NCDR, which includes the following hospital and outpatient registries: the ACTION Registry-GWTG; AFib Ablation Registry; CathPCI Registry; ICD Registry; IMPACT Registry; PVI Registry; STS/ACC TVT Registry; Diabetes Collaborative Registry; and PINNACLE Registry.
Participants in the hospital registries submit data through an NCDR certified software vendor, NCDR compatible data abstraction provider or through an internet-based tool. Participants in the outpatient registries submit data through an electronic health record system or online.
The ACC said it had “significantly improved security controls and procedures” since the potential breach occurred sometime between 2009 and 2010.
“Specifically, as it relates to protected health information, the College has formalized procedures for transferring data from the live environment,” the ACC said. “The procedure requires the requestor to submit a support ticket which is then reviewed and executed by a database administrator that confirms the transfer of the data and conformance to scrubbing and de-identification processes. Additionally, the College maintains additional controls including but not limited to log review procedures, intrusion detection system, weekly security scanning, and annual security audits.”