It has been discovered that a former worker at the St. Louis, MO-based not-for-profit health system, SSM Health was accessing the health records of clients for 8 months despite not haveing any legitimate work reason.
The individual worked in SSM Health’s customer service support call center, and due to this, did not have permission to access financial information, only demographic, health, and clinical data.
The access was discovered by SSM health on October 30, resulting in a thorough investigation to find out what the records had been accessed and which patients were potentially in danger. The investigation revealed the medical histories of patients in multiple states were obtained by the individual between February 13 and October 20, 2017.
The individual was chiefly focused on the records of patients of a primary care physician in the St. Louis district, specifically patients who had been prescribed a controlled substance. While that subset of clients was comparatively small, it was not possible to determine the full range of the privacy breach, so SSM Health took measures to contact all patients whose records had been accessed by the individual. In many instances, that access will have been for legitimate work reasons.
In total, 29,000 people have been contacted regarding the incident and warned that their protected health information may have been accessed by the individual and could potentially have been misused. Those people have been advised that they can avail of identity theft protection services without charge for one year.
SSM Health has also altered its procedures to necessitate an additional identifier to be implemented when patients ask for prescription refills via its call center. Internal policies and procedures have been gone through and employee access monitoring utilities have been strengthened to ensure any potential illegal employee activity is identified more rapidly going forward.
The breach incident has been submitted to the Department of Health and Human Services’ Office for Civil Rights and law enforcement has been contact regarding it.
SSM Health privacy officer, Scott Didion, remarked, “We take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients.”
SSM Health has already reported a previous incident in the last year. In May the group reported that an electromyography device that stored the private health information (PHI) of 836 patients had been taken from DePaul Hospital St Louis, based in Bridgeton, MO.