Medical data of 33,000 BJC HealthCare patients exposed online for 8 months

An internal scan by the St. Louis-based health system found a misconfigured server could be easily accessed without authentication.
By Jessica Davis
March 14, 2018
03:09 PM
Share

BJC's Barnes-Jewish Hospital in St. Louis. Photo Credit: BJC

The data of 33,420 patients of BJC HealthCare was left exposed to the internet for eight months after the St. Louis-based provider misconfigured one of its servers.

BJC is one of the largest nonprofit healthcare systems in the U.S., which includes 15 hospitals.

The open server was discovered by an internal scan on Jan. 23, which found one of its servers could be easily accessed without authentication. Officials said they immediately reconfigured the server to prevent further data access.

[Also: The biggest healthcare data breaches of 2018 (so far)]

Through an internal investigation, officials were able to determine an error was made when configuring the server on May 9, 2017, which left documents and copies of identification documents accessible to the internet.

The exposed data included Social Security numbers, insurance cards and drivers licenses, in addition to patient names, addresses, dates of birth, treatment information and the like. This type of data can be used by cybercriminals for identity theft and medical fraud.

The documents stored on the server were from patients who visited BJC between 2003 and 2009. Patients who visited the health system after 2009 weren’t included in the breach. This serves as a reminder for healthcare organizations to be cognizant of what data are stored and connected to the internet.

While the investigation didn’t find evidence of an unauthorized individual accessing the data, access couldn’t be ruled out with a high degree of certainty. As a result, all impacted patients are being offered one year of free credit monitoring.

BJC is reviewing its security policies and procedures and updating these to prevent future incidents.

The St. Louis health system is just the latest in a long list of organizations failing to properly secure or configure online storage buckets. Hundreds of gigabytes of sensitive client and company data at Accenture were breached in October after the company left four of its AWS S3 buckets open to the public.

In one of the largest breaches based on a misconfigured cloud database, 123 million Americans were exposed after data analytics firm Alteryx left its Amazon Web Services S3 cloud storage bucket open to the public.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Privacy & Security
Share
View all comments 0

Top Story

EHRs and AI
Top Story
Next up for EHRs: AI joins the workflow

Most Read

How does blockchain actually work for healthcare?
Nuance knocked offline by ransomware attacking Europe
Nuance still down after Petya cyberattack, offers customers alternative tools
Allscripts hit by ransomware, knocking some services offline
Blockchain's potential use cases for healthcare: hype or reality?
WSU hard drive theft potentially impacts 1 million people

Research

White Papers

More Whitepapers

Electronic Health Records (EHR, EMR)
Privacy & Security
Privacy & Security

Webinars

More Webinars

Privacy & Security
Artificial Intelligence
Electronic Health Records (EHR, EMR)

Video

Allied Physicians Group Improve Patient Engagement with Solutionreach
HIMSS TV
HIMSS TV is live: Watch now
Adrienne Boissey
'We need to dream bigger'
HIMSS TV
Welcome to HIMSS18: Here's what attendees need to know

More Stories

BJC's Barnes-Jewish Hospital in St. Louis. Photo Credit: BJC

Medical data of 33,000 BJC HealthCare patients exposed online for 8 months
Elizabeth Holmes charged by SEC with ‘massive fraud’
Theranos founder Elizabeth Holmes, former president charged by SEC with ‘massive fraud’
Mayo Clinic boosts clinical trials with IBM Watson artificial intelligence
Mayo Clinic boosts clinical trials with IBM Watson artificial intelligence
HIMSS18 rev cycle recap
HIMSS18 revenue cycle recap: Patient-centric approaches emerge

Credit: Cleveland Clinic

Cleveland Clinic’s new CEO: AI, analytics and digital health are the future
Mobile Health: Engaged patients. Empowered teams.
Michigan kicked its PDMP up a notch to clamp down on opioids
How Michigan kicked its PDMP up a notch to clamp down on doctors overprescribing opioids
Philips introduces AI platform for healthcare

Credit: Philips HealthSuite

Philips introduces AI platform for healthcare