BJC HealthCare has notified 33,420 patients that a data server configuration error, discovered during an internal security scan, made it possible for stored images of identifying documents to be accessible through the Internet without the appropriate security controls during the time period of May 9, 2017, to Jan. 23, 2018.
Immediately upon discovery, BJC said, the server was reconfigured to the correct setting and an investigation began.
The scanned documents on the data server included copies of patient driver’s licenses, insurance cards, and treatment-related documents that were collected during hospital visits spanning 2003 to 2009.
Patient information that was potentially accessible included name, address, telephone number, date of birth, Social Security number, driver’s license number, insurance information and treatment-related information.
The BJC investigation did not reveal that any personal data was actually accessed. Since the potential for access existed, BJC out of an abundance of caution has offered affected patients complimentary identity theft protection. BJC has implemented additional information systems processes to prevent further errors of this nature in the future.
Patients whose data was stored on the server have been mailed a letter explaining what occurred, how to enroll in identity theft protection as a precaution, and who to contact with any questions. Patient questions can be directed to (844) 416-6281.
BJC HealthCare has complied with all U.S. Department of Health and Human Services Office for Civil Rights notification requirements, including individual patient letters, public news release and website posting.