PHI of 33,420 BJC Healthcare Patients Displayed on Internet for 8 Months


The protected health information of 33,420 patients of BJC Healthcare has been available on the Internet for 8 months without any requirement for verification to see the information.

BJC Healthcare is among the biggest not-for-profit healthcare systems in the United States. The St. Louis-located healthcare business operates two nationwide renowned hospitals in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital together with 13 others. The health system hires over 31,000 people, has more than 154,000 hospital admissions and carries out more than 175,000 home health visits a year.

On January 23, 2018, BJC Healthcare carried out a safety check which exposed one of its computer networks had been misconfigured which let confidential information to be accessed without verification. An action was instantly taken to reconfigure as well as safeguard the computer network to avoid data from being retrieved.

The examination exposed a mistake had been made organizing the server on May 9, 2017, allowing documents and copies of identification papers accessible. Highly confidential information such as insurance cards, Social Security numbers, and driver’s license numbers were disclosed together with patients’ names, dates of birth, contact telephone numbers, addresses, and treatment-related information.

The scanned documents stored on the server had information collected from patients between 2003 and 2009. Patients who paid a visit to BJC Healthcare facilities after 2009 were not impacted by the breach.

The examination didn’t disclose proof to indicate any of the documents were accessed by illegal people, even though data access might not be ruled out with a high level of certainty. For that reason, out of an abundance of caution, all patients whose PHI was disclosed have been offered identity theft safety facilities without charge for 12 months.

The safety occurrence has prompted BJC Healthcare to revise its information system processes and policies, which have been updated to avoid any further occurrences of this type from happening.