Three Hundred Thousand SSM Health Patients Have Protected Health Information Exposed

Jefferson City, Missouri based SSM Health St. Mary’s Hospital is contacting hundreds of thousands of patients to warn them that some of their protected health information has been left unprotected and may have have been accessed by unauthorized parties.

On November 16, 2014, St. Mary’s Hospital relocated to new offices and all patients’ medical records were moved to the new facility and were kept safe at all times. However, on June 1, 2018, the hospital saw that many documents containing protected health information had been left behind at the previous business location.

The documents accessed were mostly administrative and operational supporting documents and included only a restricted amount of protected health information. For most patients, the only information that was exposed was their name and medical record number. Some individuals also had some clinical data, demographic information, and financial information accessed.

Due to the number of files involved, the hospital has contracted a document services firm to list all the documents and determine which patients have had some of their PHI exposed. It has taken a considerable amount of time for that process to be completed and for St. Mary’s to be provided with a reliable figure of the number of patients impacted. The breach report sent to the Department of Health and Human Services Office for Civil Rights states that 301,000 patients have had some of their PHI exposed.

Security measures and deterrents were in place at the old facility, although after looking into the matter, SSM Health found that those safeguards were inadequate to ensure the security of patient information and it was not possible to state, with absolute confidence, that the documents were not seen by unauthorized individuals during the three and a half years when they were inadequately secured.

While the incident is a data breach and requires that notifications to be sent to patients, SSM Health does not think patients face a significant risk of misuse of their information due to the restricted amount of PHI that was exposed and the age of the data.

The hospital has now implemented further steps to ensure that further privacy breaches do not happen including reviewing and revising policies and procedures for record storage, retention, and termination.