BJC HealthCare Notifies Patients of Data Storage Server Access
BJC HealthCare has notified 33,420 patients that a data server configuration error, discovered during an internal security scan, made it possible for stored images of identifying documents to be accessible through the Internet without the appropriate security controls during the time period of May 9, 2017, to January 23, 2018. Immediately upon discovery, BJC reconfigured the server to the correct setting and began an investigation of the issue.
The scanned documents on the data server included copies of patient driver’s licenses, insurance cards, and treatment-related documents that were collected during hospital visits spanning 2003 to 2009. Patient information that was potentially accessible included name, address, telephone number, date of birth, Social Security number, driver’s license number, insurance information and treatment-related information.
The BJC investigation did not reveal that any personal data was actually accessed. Since the potential for access existed, BJC out of an abundance of caution has offered affected patients complimentary identity theft protection. BJC has implemented additional information systems processes to prevent further errors of this nature in the future.
Patients whose data was stored on the server have been mailed a letter explaining what occurred, how to enroll in identity theft protection as a precaution, and who to contact with any questions. Patient questions can be directed to 844-416-6281.
BJC HealthCare has complied with all U.S. Department of Health and Human Services Office for Civil Rights notification requirements, including individual patient letters, public news release and website posting.