BJC HealthCare in St. Louis notified 33,420 patients a data server configuration error exposed stored scans of certain documents on the internet without the appropriate security controls from May 9, 2017, to Jan. 23, 2018, a hospital spokesperson confirmed to Becker's Hospital Review.
Hospital officials discovered the exposure during an internal security scan and immediately reconfigured the server to the correct setting. According to the hospital's investigation, no personal data was actually accessed.
The scanned documents on the server included copies of patient driver's licenses, insurance cards and treatment-related documents collected during hospital visits between 2003 and 2009. Patient information — such as name, address, telephone number, date of birth, Social Security number, driver's license number, insurance information and treatment-related information — were potentially accessible.
Although no BJC data was accessed, the hospital offered affected patients free identity theft monitoring as a precaution. Patients whose data was stored on the server were mailed a letter that explained the situation, how to enroll in identity theft protection and where to direct any questions.
More articles on cybersecurity:
Most cyberattacks cause 4 hours of downtime: 7 things to know
McAfee logs 478 cyberattacks every minute: 6 report findings
How are healthcare organizations addressing information security? 4 survey findings