Misconfigured server at BJC HealthCare exposed patient data for more than 8 months

Security lock on computer data
BJC HealthCare said a server that stores patient data was left misconfigured for more than eight months. (Getty/gintas77)

BJC Healthcare has notified more than 33,000 patients that a misconfigured server left confidential information easily accessible for more than eight months.

In a notice posted to its website, St. Louis-based BJC HealthCare said a server configuration error meant images and documents were accessible through the internet between May 9, 2017 and January 23, 2018. Although an investigation indicated that no patient data had been accessed, patient names, addresses, Social Security numbers, insurance information and treatment-related information were stored on the server.

“Immediately upon discovery, BJC reconfigured the server to the correct setting and began an investigation of the issue,” according to the announcement.


13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

Human error and unintended disclosure were some of the most common causes of data breaches in 2017. In one instance, security researchers discovered that a home monitoring company leaked blood tests and medical information associated with more than 150,000 patients because an Amazon-hosted cloud repository was misconfigured to allow public access.

RELATED: Unintended disclosure accounts for a big chunk of data breaches in 2017, and spear phishing is on the rise

The BJC HealthCare incident follows the second-largest reported data breach in 2018, when St. Peter’s Surgery & Endoscopy Center in Albany, New York informed more than 134,000 patients that a cyberattack on its servers potentially exposed personal and medical data. Although the provider discovered the attack on the same day it occurred and “immediately took steps to secure the information on those servers,” it was unable to definitively rule out that patient data had been accessed.

Earlier this year, Oklahoma State University reported a data breach that impacted nearly 280,000 Medicaid enrollees.

Suggested Articles

The FTC is suing health IT company Surescripts, accusing the company of employing illegal vertical and horizontal restraints in order to maintain its…

Boston-based Athenahealth is laying off a portion of its workforce to “decrease bureaucracy and consolidate capabilities" as part of a reorganization.

Amid last week’s opioid prescriber crackdown, the Justice Department coordinated with local agencies to deploy health workers to help pain patients.