Three Hundred Thousand SSM Health Patients Have Protected Health Information Exposed

by Ryan Coyne | Aug 13, 2018

Jefferson City, Missouri based SSM Health St. Mary’s Hospital is contacting hundreds of thousands of patients to warn them that some of their protected health information has been left unprotected and may have have been accessed by unauthorized parties.

On November 16, 2014, St. Mary’s Hospital relocated to new offices and all patients’ medical records were moved to the new facility and were kept safe at all times. However, on June 1, 2018, the hospital saw that many documents containing protected health information had been left behind at the previous business location.

The documents accessed were mostly administrative and operational supporting documents and included only a restricted amount of protected health information. For most patients, the only information that was exposed was their name and medical record number. Some individuals also had some clinical data, demographic information, and financial information accessed.

Due to the number of files involved, the hospital has contracted a document services firm to list all the documents and determine which patients have had some of their PHI exposed. It has taken a considerable amount of time for that process to be completed and for St. Mary’s to be provided with a reliable figure of the number of patients impacted. The breach report sent to the Department of Health and Human Services Office for Civil Rights states that 301,000 patients have had some of their PHI exposed.

Security measures and deterrents were in place at the old facility, although after looking into the matter, SSM Health found that those safeguards were inadequate to ensure the security of patient information and it was not possible to state, with absolute confidence, that the documents were not seen by unauthorized individuals during the three and a half years when they were inadequately secured.

While the incident is a data breach and requires that notifications to be sent to patients, SSM Health does not think patients face a significant risk of misuse of their information due to the restricted amount of PHI that was exposed and the age of the data.

The hospital has now implemented further steps to ensure that further privacy breaches do not happen including reviewing and revising policies and procedures for record storage, retention, and termination.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter