A one-time employee of Midwestern health care system SSM Health with legitimate access to thousands of patients’ records allegedly violated HIPAA privacy regulations in a data breach incident, the St. Louis-based company disclosed on Dec. 29.

How many victims? Roughly 29,000 patients have had their records accessed by the individual in question; however, only a small subset appear to have been subjected to illegal activity.

What type of information? Health information, including demographic and clinical records, but not financial information.

What happened? According to SSM Health, between Feb. 13 and Oct. 20, 2017, a then-employed customer service call center representative allegedly performed unspecified “illegal activities” involving the records of a “small number of patients with a controlled substance prescription and a primary care physician within the St. Louis area.”

What was the response? Upon learning of the incident on Oct. 30, SSM Health began notified all 29,000 patients whose records were accessed at one time by the former employee, regardless of whether or not their information was used illegally. The company also said that it reported the incident to the Office for Civil Rights and local law enforcement, and began “requiring an additional identifier when patients request prescription refills from the call center, thoroughly reviewing internal policies and procedures, and further strengthening employee access monitoring tools.”

Additionally, SSM Health will provide free identity theft protection to affected patients, if they request it. Patients who believe they have been affected, but received no notification, can call this toll-free hotline: 1-888-710-9205.  

Quote: “We take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients,” said Scott Didion, system privacy officer, SSM Health, in the company’s online statement.