The PHI of 33,420 people of BJC Healthcare has been accessible by the public online for eight months with no requirement for authentication to see the data.
BJC Healthcare is one of the biggest not-for profit healthcare systems in the USA. The St. Louis-based healthcare group operates two nationally recognized hospitals located in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital along with 13 others. The health system has a staff of more than 31,000 individuals, has over 154,000 hospital admissions and carries out more than 175,000 home health visits annually.
On January 23, 2018, BJC Healthcare completed a security scan which showed one of its servers had been improperly configured which allowed sensitive information to be accessed without authentication. Action was quickly taken to reconfigure and safeguard the server to prevent data from being viewed.
The review showed an error had been made configuring the server on May 9, 2017, leaving documents and copies of identification documents visible. Highly sensitive data including Social Security numbers, insurance cards, and driver’s license details were exposed along with patients’ names, addresses, contact telephone numbers, dates of birth, and treatment related data.
The scanned files saved on the server contained information obtained from patients between 2003 and 2009. Patients who attended BJC Healthcare centers after 2009 were not impacted by the breach.
The review did not uncover proof to suggest any of the documents were obtained by unauthorized individuals, although data access could not be eliminated with a high degree of certainty. Therefore, as a precautionary measure, all patients whose protected health information was exposed have been offered free identity theft protection services for 12 months.
The security incident has lead to BJC Healthcare reviewing its information system policies and procedures, which have been updated to stop any further incidents of this nature from happening.