BJC HealthCare, based in St. Louis, Missouri, has notified 33,420 patients that a misconfigured server left confidential information easily accessible through the Internet for more than eight months.
In a notice posted to its website, BJC HealthCare is it a server configuration error during an internal security scan. The misconfigured server made it possible for stored images of identifying documents to be accessible through the Internet without the appropriate security controls during the time period of May 9, 2017, to January 23, 2018. Immediately upon discovery, BJC reconfigured the server to the correct setting and began an investigation of the issue, according to the statement.
This is not the largest data breach so far in 2018. Back in January, Oklahoma State University Center for Health Sciences (OSUCHS) posted a notice that a data breach potentially affected 280,000 Medicaid enrollees. The organization said it discovered back in November that an authorized third party had gained access to folders on the OSUCHS computer network, which stored Medicaid patient billing information. OSUCHS launched an investigation, but an investigation could not rule out whether the third party explicitly accessed patient information.
“The information in the folders may have included patients’ names, Medicaid numbers, healthcare provider names, dates of service, and limited treatment information. It is important to note these folders did not contain medical records. A single social security number was contained on the server,” the organization said in a notice it posted to its website. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, that hacking incident affected 279,865 individuals.
Earlier this month, St. Peter’s Surgery and Endoscopy Center notified patients of a server security incident. On January 8, 2018, St. Peter’s, located in eastern upstate New York, discovered that an unauthorized third party gained access to its servers. The information contained on the server in question included patients’ names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information and, in some instances, Medicare information.
According to the OCR breach portal, the St. Peter’s Surgery and Endoscopy Center breach affected 134,512 individuals.
In the case of the BJC HealthCare, the scanned documents on the data server included copies of patient driver’s licenses, insurance cards, and treatment-related documents that were collected during hospital visits spanning 2003 to 2009. Patient information that was potentially accessible included name, address, telephone number, date of birth, Social Security number, driver’s license number, insurance information and treatment-related information.
The BJC investigation did not reveal that any personal data was actually accessed, the organization said. Since the potential for access existed, BJC, out of an abundance of caution, has offered affected patients complimentary identity theft protection. BJC has implemented additional information systems processes to prevent further errors of this nature in the future.