Three Hundred Thousand SSM Health Patients Have Protected Health Information Exposed

by | Aug 13, 2018

Jefferson City, Missouri based SSM Health St. Mary’s Hospital is contacting hundreds of thousands of patients to warn them that some of their protected health information has been left unprotected and may have have been accessed by unauthorized parties.

On November 16, 2014, St. Mary’s Hospital relocated to new offices and all patients’ medical records were moved to the new facility and were kept safe at all times. However, on June 1, 2018, the hospital saw that many documents containing protected health information had been left behind at the previous business location.

The documents accessed were mostly administrative and operational supporting documents and included only a restricted amount of protected health information. For most patients, the only information that was exposed was their name and medical record number. Some individuals also had some clinical data, demographic information, and financial information accessed.

Due to the number of files involved, the hospital has contracted a document services firm to list all the documents and determine which patients have had some of their PHI exposed. It has taken a considerable amount of time for that process to be completed and for St. Mary’s to be provided with a reliable figure of the number of patients impacted. The breach report sent to the Department of Health and Human Services Office for Civil Rights states that 301,000 patients have had some of their PHI exposed.

Security measures and deterrents were in place at the old facility, although after looking into the matter, SSM Health found that those safeguards were inadequate to ensure the security of patient information and it was not possible to state, with absolute confidence, that the documents were not seen by unauthorized individuals during the three and a half years when they were inadequately secured.

While the incident is a data breach and requires that notifications to be sent to patients, SSM Health does not think patients face a significant risk of misuse of their information due to the restricted amount of PHI that was exposed and the age of the data.

The hospital has now implemented further steps to ensure that further privacy breaches do not happen including reviewing and revising policies and procedures for record storage, retention, and termination.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy