BJC Healthcare HIPAA Breach Exposes PHI of 33,420 Over 8 Months

by | Mar 14, 2018

The PHI of 33,420 people of BJC Healthcare has been accessible by the public online for eight months with no requirement for authentication to see the data.

BJC Healthcare is one of the biggest not-for profit healthcare systems in the USA. The St. Louis-based healthcare group operates two nationally recognized hospitals located in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital along with 13 others. The health system has a staff of more than 31,000 individuals, has over 154,000 hospital admissions and carries out  more than 175,000 home health visits annually.

On January 23, 2018, BJC Healthcare completed a security scan which showed one of its servers had been improperly configured which allowed sensitive information to be accessed without authentication. Action was quickly taken to reconfigure and safeguard the server to prevent data from being viewed.

The review showed an error had been made configuring the server on May 9, 2017, leaving documents and copies of identification documents visible. Highly sensitive data including Social Security numbers, insurance cards, and driver’s license details were exposed along with patients’ names, addresses, contact telephone numbers, dates of birth, and treatment related data.

The scanned files saved on the server contained information obtained from patients between 2003 and 2009. Patients who attended BJC Healthcare centers after 2009 were not impacted by the breach.

The review did not uncover proof to suggest any of the documents were obtained by unauthorized individuals, although data access could not be eliminated with a high degree of certainty. Therefore, as a precautionary measure, all patients whose protected health information was exposed have been offered free  identity theft protection services for 12 months.

The security incident has lead to BJC Healthcare reviewing its information system policies and procedures, which have been updated to stop any further incidents of this nature from happening.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy