ST. LOUIS, MO — BJC HealthCare, one of St. Louis’ largest health care providers, notified patients this week of a massive security breach that may have disclosed their driver licenses, insurance cards, social security numbers and medical records to the public. The organization said in a press release that it discovered the cause of the breach — a server configuration error — during an internal security scan and that the confidential documents were exposed between May 2017 and January 2018.
More than 33,000 patients are affected.
BJC, which is associated with Washington University Physicians and includes Barnes-Jewish Hospital and St. Louis Children’s Hospital, said it did not determine that any patient information was actually accessed, but since the potential exists, it notified patients “out of an abundance of caution.” The health care provider will offer those patients complimentary identity theft protection as a precautionary measure.
“BJC has implemented additional information systems processes to prevent further errors of this nature in the future,” the organization said.
Patient information is protected by a federal law called the Health Insurance Portability and Accountability Act, or HIPAA. That law sets standards that hospitals and other health care providers must follow to protect their patients’ private data. According to the Department of Health and Human Services, the adoption of electronic health records, while allowing more efficient patient care, has also increased the risk of patients’ data being exposed.
BJC said it had complied with HHS’s notification requirements, which include letters to patients and a public news release.
If you were affected by the breach, you should receive a letter in the mail with details on how to enroll in identity theft protection. Patients with questions should call 844-416-6281.
Photo by Joe Raedle/News/Getty Images
Get the St. Louis newsletter