33,420 BJC Healthcare Patients Have PHI Exposed in 8-Months HIPAA Breach

BJC Healthcare has revealed that the protected health information of 33,420 of it’s subscribers has been open to public accessible for eight months without adequate  for HIPAA compliant authentication required to view the PHI.

The BJC Healthcare group is one of the largest not-for profit healthcare groups located in the United States. The healthcare organization, based in St Louis, runs two nationally recognized hospitals in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital in tandem with 13 other centers. The health system employs more than 31,000 workers, recorded more than over 154,000 hospital admissions and completes over 175,000 home health visits a year.

BJC Healthcare performed a security scan on January 23, 2018, which unveiled that  one of its servers had been misconfigured which permitted sensitive information to be accessed without adequate authentication checks. Swift action was taken to reconfigure and protect the server to prevent data from being obtained.

The examination revealed a mistake had happened while configuring the server on May 9, 2017, allowing documents and copies of identification documents to be accessible. Sensitive information including Social Security details, insurance cards, and driver’s license particulars were exposed along with patients’ names, addresses, contact telephone numbers, age, and treatment related information.

The scanned documents held on the server incorporated information gathered from patients treated between 2003 and 2009. Individuals who attended BJC Healthcare facilities after 2009 were not hit by the breach.

The investigation did not find evidence to imply any of the documents were accessed by unauthorized people, although data access could not be ruled out with a high degree of certainty. Therefore, out of an abundance of caution, all individuals whose protected health information was possibly obtained have been offered identity theft protection services without charge for one year.

Due to the incident, BJC Healthcare has reviewed its policies and processes in relation to data storage, which have been refreshed to block any future incidents of this nature from being experienced.

Author: Maria Perez