BJC HealthCare said a data storage error potentially compromised 33,420 patient records when the information was accidentally made publicly available for nine months.
BJC, based in St. Louis, said in a statement that a misconfigured server was left without a security protocol in place making it possible for someone to view scanned documents containing patient's driver's licenses, insurance cards and treatment-related documents from 2003 to 2009. Other patient data that was possibly left visible included name, address, telephone number, date of birth, Social Security number, driver's license number, insurance information and treatment-related inform. The server itself was left unsecure from May 9, 2017 through January 23, 2018.
The issue was discovered during an internal security audit.
“The BJC investigation did not reveal that any personal data was actually accessed. Since the potential for access existed, BJC out of an abundance of caution has offered affected patients complimentary identity theft protection. BJC has implemented additional information systems processes to prevent further errors of this nature in the future,” BJC said.