BJC Healthcare HIPAA Breach Discloses PHI of 33,420 Over 8 Months

March 16, 2018


The PHI of 33,420 individuals of BJC Healthcare has been available by the public online for 8 months with no need for verification to view the data.

BJC Healthcare is among the largest not-for-profit healthcare organizations in the USA. The St. Louis-located healthcare group manages two nationally recognized hospices situated in Missouri – St. Louis Children’s Hospital and Barnes-Jewish Hospital along with 13 others. The health system has a workforce of more than 31,000 people, has over 154,000 hospital admissions and performs more than 175,000 home health visits yearly.

On January 23, 2018, BJC Healthcare finished a safety scan which demonstrated one of its servers had been wrongly arranged which let confidential information to be retrieved without verification. An action was swiftly taken to reconfigure and protect the server to avoid data from being seen.

The revision showed a mistake had been made arranging the server on May 9, 2017, leaving documents and copies of recognition documents discernible. Highly confidential data including Social Security numbers, dates of birth, contact telephone numbers, addresses, and driver’s license details were exposed along with patients’ names, treatment-related data and insurance cards.

The scanned files saved on the server had information obtained from patients between 2003 and 2009. Patients who visited BJC Healthcare centers after 2009 were not affected by the breach.

The revision didn’t disclose proof to indicate any of the documents were obtained by illegal people, even though data access might not be excluded with a high level of confidence. For that reason, as a precautionary measure, all patients whose PHI was disclosed have been offered free identity theft safety facilities for 12 months.

The safety incident has led to BJC Healthcare revising its information system procedures and policies, which have been revised to prevent any further occurrences of this type from taking place.