A data server configuration error at 15-hospital BJC Healthcare, which serves the greater St. Louis region, resulted in stored images of patient-identifying documents being posted on the Internet from May 9, 2017, to this past January 23, when the error was discovered during an internal security scan.

Now, the organization is notifying 33,420 affected patients and offering identity theft protection services.

The scanned documents included such information as patient names, addresses, telephone numbers, dates of birth, driver license numbers, insurance information, Social Security numbers and treatment-related information.

Also See: Healthcare breaches still occur at a rate of more than one per day

An investigation found no evidence that protected health information was accessed, but the potential of data being accessed compelled the organization to offer protection, the organization told affected patients.

New processes have been put in place throughout the organization to prevent a similar error from occurring in the future, and patients have received a letter explaining the incident, how to enroll in the identity theft protection program, and who to contact to ask questions.

Zohar Alon, CEO at Dome9, a vendor of cloud-based data security products, says occasional security scans are no longer effective in protecting information.

"Security-conscious organizations are moving away from periodic, semi-annual internal scans and investing in continuous security and compliance capabilities that allow them to monitor and get alerted on such exposures quickly,” he notes. “Unfortunately, there’s still a large number of organizations that have not made this transition for one reason or another—whether that’s budget constraints or the talent and expertise they have at their disposal.”

In response to inquiries about the data exposure, BJC Healthcare declined to provide additional details about the incident.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access