Data of 33,420 BJC patients posted on Internet for 8 months
A data server configuration error at 15-hospital BJC Healthcare, which serves the greater St. Louis region, resulted in stored images of patient-identifying documents being posted on the Internet from May 9, 2017, to this past January 23, when the error was discovered during an internal security scan.
Now, the organization is notifying 33,420 affected patients and offering identity theft protection services.
The scanned documents included such information as patient names, addresses, telephone numbers, dates of birth, driver license numbers, insurance information, Social Security numbers and treatment-related information.
An investigation found no evidence that protected health information was accessed, but the potential of data being accessed compelled the organization to offer protection, the organization told affected patients.
New processes have been put in place throughout the organization to prevent a similar error from occurring in the future, and patients have received a letter explaining the incident, how to enroll in the identity theft protection program, and who to contact to ask questions.
Zohar Alon, CEO at Dome9, a vendor of cloud-based data security products, says occasional security scans are no longer effective in protecting information.
"Security-conscious organizations are moving away from periodic, semi-annual internal scans and investing in continuous security and compliance capabilities that allow them to monitor and get alerted on such exposures quickly,” he notes. “Unfortunately, there’s still a large number of organizations that have not made this transition for one reason or another—whether that’s budget constraints or the talent and expertise they have at their disposal.”
In response to inquiries about the data exposure, BJC Healthcare declined to provide additional details about the incident.