BJC HealthCare Reports Misconfigured Server Exposed Patient Data | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

BJC HealthCare Reports Misconfigured Server Exposed Patient Data

March 14, 2018
by Heather Landi
| Reprints

BJC HealthCare, based in St. Louis, Missouri, has notified 33,420 patients that a misconfigured server left confidential information easily accessible through the Internet for more than eight months.

In a notice posted to its website, BJC HealthCare is it a server configuration error during an internal security scan. The misconfigured server made it possible for stored images of identifying documents to be accessible through the Internet without the appropriate security controls during the time period of May 9, 2017, to January 23, 2018. Immediately upon discovery, BJC reconfigured the server to the correct setting and began an investigation of the issue, according to the statement.

This is not the largest data breach so far in 2018. Back in January, Oklahoma State University Center for Health Sciences (OSUCHS) posted a notice that a data breach potentially affected 280,000 Medicaid enrollees. The organization said it discovered back in November that an authorized third party had gained access to folders on the OSUCHS computer network, which stored Medicaid patient billing information. OSUCHS launched an investigation, but an investigation could not rule out whether the third party explicitly accessed patient information.

“The information in the folders may have included patients’ names, Medicaid numbers, healthcare provider names, dates of service, and limited treatment information. It is important to note these folders did not contain medical records. A single social security number was contained on the server,” the organization said in a notice it posted to its website. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, that hacking incident affected 279,865 individuals.

Earlier this month, St. Peter’s Surgery and Endoscopy Center notified patients of a server security incident. On January 8, 2018, St. Peter’s, located in eastern upstate New York, discovered that an unauthorized third party gained access to its servers. The information contained on the server in question included patients’ names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information and, in some instances, Medicare information.

According to the OCR breach portal, the St. Peter’s Surgery and Endoscopy Center breach affected 134,512 individuals.

In the case of the BJC HealthCare, the scanned documents on the data server included copies of patient driver’s licenses, insurance cards, and treatment-related documents that were collected during hospital visits spanning 2003 to 2009. Patient information that was potentially accessible included name, address, telephone number, date of birth, Social Security number, driver’s license number, insurance information and treatment-related information. 

The BJC investigation did not reveal that any personal data was actually accessed, the organization said. Since the potential for access existed, BJC, out of an abundance of caution, has offered affected patients complimentary identity theft protection. BJC has implemented additional information systems processes to prevent further errors of this nature in the future. 


2018 Minneapolis Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

June 13 - 14, 2018 | Minneapolis



Mass. General, Eastern Maine Healthcare Systems Form Clinical Affiliation

Massachusetts General Hospital will form a clinical affiliation with Eastern Maine Healthcare Systems, in which the two provider organizations will collaborate on areas as telemedicine, research, and protocols for providing care, according to a report in the Boston Globe.

Humanitarian Data Exchange Wins Health Data Liberator Award

Sarah Telford and Ahmadou Dicko were named the winners of this year’s Health Data Liberator award at the Health Datapalooza conference in Washington, D.C., for their work on the Humanitarian Data Exchange.

Survey: Optimism for Health IT Startups in 2018, Skepticism for Amazon Healthcare Partnership

Despite all the buzz about new entrants disrupting healthcare, the majority of healthcare stakeholders are dubious about the impact of the Amazon/Berkshire Hathaway/JP Morgan healthcare partnership and believe the effort will face substantial challenges, according to a survey by venture capital firm Venrock.

NIH Awards $10M to Alabama-based Newborn Genome Sequencing Project

The National Institutes of Health (NIH) has awarded a four-year, $10 million grant to HudsonAlpha Institute for Biotechnology, a Huntsville, Ala.-based genomics and genetics research institute, in collaboration with the University of Alabama at Birmingham (UAB) School of Medicine and the University of Mississippi Medical Center, to investigate how genome sequencing can help with the diagnosis and care of babies with birth defects and genetic disorders.

Senate Committee Advances Opioid Bill that Includes Telehealth Provisions

The Senate Health, Education, Labor and Pensions (HELP) Committee voted Tuesday to advance a bipartisan opioid bill, called the Opioid Crisis Response Act of 2018, that includes provisions promoting the use of telemedicine in substance abuse treatment.

Florida Insurer Establishes Digital Health and Wellbeing Program for Members

Florida Blue, a health insurer based in Jacksonville, has announced a partnership with Welltok. The goal of the collaboration will be to provide Florida Blue members with access to a digital health and wellbeing program designed to help them become and stay healthy.