BJC HealthCare (“BJC”) is committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns a security incident that may have involved some of that information for a specific group of patients.
On March 6, 2020, we identified suspicious activity within three BJC employees’ email accounts. BJC immediately took steps to secure the email accounts, and a leading computer forensic firm was engaged to assist with the investigation. The investigation determined that an unauthorized person gained access to the employee email accounts for a limited period of time on March 6, 2020. The investigation was unable to determine whether the unauthorized person viewed any emails or attachments in the employee email accounts. Out of an abundance of caution, BJC reviewed all the emails and attachments contained in the accounts to identify patient information that may have been accessible to the unauthorized person. Through this review, BJC identified emails and/or attachments in the accounts that contained patient information, which may have included some patients’ names, dates of birth, medical record or patient account numbers, and limited treatment and/or clinical information, such as visit dates, provider names, medications, diagnoses, and/or testing information. In some instances, patients’ Social Security numbers and/or drivers’ license numbers were also identified in the accounts.
This incident did not affect all BJC or affiliated hospitals’ and service organizations’ patients, but only those patients whose information was included in the affected email accounts. The affiliated hospitals and service organizations whose information was affected by this incident include:
Alton Memorial Hospital
Barnes-Jewish St. Peters Hospital
Barnes-Jewish West County Hospital
BJC Corporate Health Services dba BarnesCare
BJC Medical Group
Boone Hospital Center
Missouri Baptist Medical Center
Missouri Baptist Sullivan Hospital
Parkland Health Center Farmington
Parkland Health Center Bonne Terre
Progress West Hospital
St. Louis Children’s Hospital
There is no evidence that any of patient information was actually viewed by the unauthorized person, or that it has been misused. However, in an abundance of caution, , BJC mailed letters to patients whose information was identified in the employee email accounts. BJC also established a dedicated, toll-free call center to answer patients’ questions. If you have questions, please call (866) 423-7547, Monday through Friday, from 8:00 a.m. to 6:00 p.m. Central Time. For those patients whose Social Security numbers and/or drivers’ license numbers are identified in the email accounts, BJC is offering complimentary credit monitoring and identity protection services. BJC also recommends that affected patients review any statements they receive from their health care providers. If patients see charges for services not received, they should contact the provider immediately.
We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of patient information. To help prevent something like this from happening in the future, BJC has reinforced education with staff regarding how to identify and avoid suspicious emails and is making additional security enhancements to its email environment.
Updated June 17, 2020