BJC Healthcare, a non-profit healthcare system, runs two nationally recognized hospitals in St. Louis, Missouri namely St. Louis Children’s Hospital and Barnes-Jewish Hospital plus 13 other hospitals. It has over 31,000 employees, admits more than 154,000 patients and performs over 175,000 home health visits each year. Recently, BJC Healthcare experienced a data breach resulting in the exposure of the protected health information of 33,420 patients. For eight months, any person can view the patients’ PHI on the internet.
BJC Healthcare only became aware of the data breach when they conducted a security scan on January 23, 2018. One server was discovered to have misconfigured settings, which allowed the access of sensitive information without any need for authentication. The IT team immediately reconfigured the settings securing the server from further data access.
According to the investigators, an error was made during the configuration of the server on May 9, 2017. The mistake left documents with sensitive information accessible to the public. The following sensitive information were potentially compromised: patients’ names, contact numbers, addresses, dates of birth, treatment information, Social Security numbers, driver’s license numbers and insurance card numbers. The sensitive information belonged to patients who visited BJC Healthcare facilities from 2003 to 2009. The PHI of other patients who visited the facilities after 2009 was not impacted by the data breach.
Even with the 8-month exposure of the sensitive documents, there was no evidence found or report received suggesting that unauthorized persons accessed the documents. Nevertheless, there’s no certainty that data was not accessed. As a cautionary response, the patients impacted by the data breach were offered free identity theft protection services for 12 months. BJC Healthcare also reviewed its policies and procedures, updating what should be updated to ensure that this kind of data breach won’t happen again.