St. Louis-based SSM Health is notifying at least 29,000 patients whose records were inappropriately accessed by an employee in the customer service call center between Feb. 13 and Oct. 20, 2017.
SSM Health learned of the incident Oct. 30 and immediately launched an internal investigation, which remains ongoing. Hospital spokesperson Brian Westrich declined comment to Becker's Hospital Review for that reason.
While the employee had access to protected health information to perform his job duties, the individual was not granted access to financial information, such as credit or debit card numbers. The focus of his illegal activities involved the medical records of a small number of patients with a controlled substance prescription and a primary care physician in the St. Louis area.
The hospital said it has implemented corrective actions, including requiring an additional identifier when patients request prescription refills from the call center, reviewing internal policies and procedures, and strengthening employee access monitoring tools. SSM Health will also offer free identity theft protection to affected individuals.
More articles on cybersecurity:
Jones Memorial Hospital experiences computer downtime following cyberattack