Breach, Threat Management, Data Security

SSM Health call center agent with access to records allegedly violated patient privacy

A one-time employee of Midwestern health care system SSM Health with legitimate access to thousands of patients' records allegedly violated HIPAA privacy regulations in a data breach incident, the St. Louis-based company disclosed on Dec. 29.

How many victims? Roughly 29,000 patients have had their records accessed by the individual in question; however, only a small subset appear to have been subjected to illegal activity.

What type of information? Health information, including demographic and clinical records, but not financial information.

What happened? According to SSM Health, between Feb. 13 and Oct. 20, 2017, a then-employed customer service call center representative allegedly performed unspecified “illegal activities” involving the records of a “small number of patients with a controlled substance prescription and a primary care physician within the St. Louis area.”

What was the response? Upon learning of the incident on Oct. 30, SSM Health began notified all 29,000 patients whose records were accessed at one time by the former employee, regardless of whether or not their information was used illegally. The company also said that it reported the incident to the Office for Civil Rights and local law enforcement, and began “requiring an additional identifier when patients request prescription refills from the call center, thoroughly reviewing internal policies and procedures, and further strengthening employee access monitoring tools."

Additionally, SSM Health will provide free identity theft protection to affected patients, if they request it. Patients who believe they have been affected, but received no notification, can call this toll-free hotline: 1-888-710-9205.  

Quote: “We take very seriously our role of safeguarding our patients' personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients,” said Scott Didion, system privacy officer, SSM Health, in the company's online statement.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.