BJC HealthCare Reports Misconfigured Server Exposed Patient Data | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

BJC HealthCare Reports Misconfigured Server Exposed Patient Data

March 14, 2018
by Heather Landi
| Reprints

BJC HealthCare, based in St. Louis, Missouri, has notified 33,420 patients that a misconfigured server left confidential information easily accessible through the Internet for more than eight months.

In a notice posted to its website, BJC HealthCare is it a server configuration error during an internal security scan. The misconfigured server made it possible for stored images of identifying documents to be accessible through the Internet without the appropriate security controls during the time period of May 9, 2017, to January 23, 2018. Immediately upon discovery, BJC reconfigured the server to the correct setting and began an investigation of the issue, according to the statement.

This is not the largest data breach so far in 2018. Back in January, Oklahoma State University Center for Health Sciences (OSUCHS) posted a notice that a data breach potentially affected 280,000 Medicaid enrollees. The organization said it discovered back in November that an authorized third party had gained access to folders on the OSUCHS computer network, which stored Medicaid patient billing information. OSUCHS launched an investigation, but an investigation could not rule out whether the third party explicitly accessed patient information.

“The information in the folders may have included patients’ names, Medicaid numbers, healthcare provider names, dates of service, and limited treatment information. It is important to note these folders did not contain medical records. A single social security number was contained on the server,” the organization said in a notice it posted to its website. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, that hacking incident affected 279,865 individuals.

Earlier this month, St. Peter’s Surgery and Endoscopy Center notified patients of a server security incident. On January 8, 2018, St. Peter’s, located in eastern upstate New York, discovered that an unauthorized third party gained access to its servers. The information contained on the server in question included patients’ names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information and, in some instances, Medicare information.

According to the OCR breach portal, the St. Peter’s Surgery and Endoscopy Center breach affected 134,512 individuals.

In the case of the BJC HealthCare, the scanned documents on the data server included copies of patient driver’s licenses, insurance cards, and treatment-related documents that were collected during hospital visits spanning 2003 to 2009. Patient information that was potentially accessible included name, address, telephone number, date of birth, Social Security number, driver’s license number, insurance information and treatment-related information. 

The BJC investigation did not reveal that any personal data was actually accessed, the organization said. Since the potential for access existed, BJC, out of an abundance of caution, has offered affected patients complimentary identity theft protection. BJC has implemented additional information systems processes to prevent further errors of this nature in the future. 


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Healthcare Execs Anticipate High Cost Returns from Predictive Analytics Use

Healthcare executives are dedicating budget to predictive analytics, and are forecasting significant cost savings in return, according to new research from the Illinois-based Society of Actuaries.

Adam Boehler Tapped by Azar to Serve as Senior Value-Based Care Advisor

Adam Boehler, currently director of CMMI, has also been named the senior advisor for value-based transformation and innovation, HHS Secretary Alex Azar announced.

Vivli Launches Clinical Research Data-Sharing Platform

On July 19 a new global data-sharing and analytics platform called Vivli was unveiled. The nonprofit group’s mission is to promote, coordinate and facilitate scientific sharing and reuse of clinical research data.

Survey: More Effective IT Needed to Improve Patient Safety

In a Health Catalyst survey, physicians, nurses and healthcare executives said ineffective information technology, and the lack of real-time warnings for possible harm events, are key obstacles to achieving their organizations' patient safety goals.

Physicians Still Reluctant to Embrace Virtual Tech, Survey Finds

While consumers and physicians agree that virtual healthcare holds great promise for transforming care delivery, physicians still remain reluctant to embrace the technologies, according to a new Deloitte Center for Health Solutions survey.

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.