The personal information of 33,420 patients of BJC HealthCare was exposed to the Internet for seven months, the St. Louis-based healthcare company stated in a March press release.
Patient information that was potentially accessible included name, address, phone number, date of birth, social security number, driver’s license number, insurance information and treatment-related documents that were collected during hospital visits spanning 2003 to 2009.
BJC HealthCare is one of the largest nonprofit healthcare organizations in the United States, and serves metro St. Louis, mid-Missouri and Southern Illinois.
Officials said the security flaw was discovered during an internal security scan. A data server configuration error made it possible for stored images of identifying documents to be accessible through the Internet from May 9, 2017, to January 23, 2018. Immediately upon discovery, BJC reconfigured the server to the correct setting and began an investigation of the issue.
In the release, BJC officials said their investigation did not reveal that any personal data was accessed, and the company has implemented additional information systems processes to prevent further similar errors in the future.