Misconfigured server at BJC HealthCare exposed patient data for more than 8 months

Security lock on computer data
BJC HealthCare said a server that stores patient data was left misconfigured for more than eight months. (Getty/gintas77)

BJC Healthcare has notified more than 33,000 patients that a misconfigured server left confidential information easily accessible for more than eight months.

In a notice posted to its website, St. Louis-based BJC HealthCare said a server configuration error meant images and documents were accessible through the internet between May 9, 2017 and January 23, 2018. Although an investigation indicated that no patient data had been accessed, patient names, addresses, Social Security numbers, insurance information and treatment-related information were stored on the server.

“Immediately upon discovery, BJC reconfigured the server to the correct setting and began an investigation of the issue,” according to the announcement.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Human error and unintended disclosure were some of the most common causes of data breaches in 2017. In one instance, security researchers discovered that a home monitoring company leaked blood tests and medical information associated with more than 150,000 patients because an Amazon-hosted cloud repository was misconfigured to allow public access.

RELATED: Unintended disclosure accounts for a big chunk of data breaches in 2017, and spear phishing is on the rise

The BJC HealthCare incident follows the second-largest reported data breach in 2018, when St. Peter’s Surgery & Endoscopy Center in Albany, New York informed more than 134,000 patients that a cyberattack on its servers potentially exposed personal and medical data. Although the provider discovered the attack on the same day it occurred and “immediately took steps to secure the information on those servers,” it was unable to definitively rule out that patient data had been accessed.

Earlier this year, Oklahoma State University reported a data breach that impacted nearly 280,000 Medicaid enrollees.