Medical data of 33,000 BJC HealthCare patients exposed online for 8 months

An internal scan by the St. Louis-based health system found a misconfigured server could be easily accessed without authentication.
By Jessica Davis
03:09 PM
Share

BJC's Barnes-Jewish Hospital in St. Louis. Photo Credit: BJC

The data of 33,420 patients of BJC HealthCare was left exposed to the internet for eight months after the St. Louis-based provider misconfigured one of its servers.

BJC is one of the largest nonprofit healthcare systems in the U.S., which includes 15 hospitals.

The open server was discovered by an internal scan on Jan. 23, which found one of its servers could be easily accessed without authentication. Officials said they immediately reconfigured the server to prevent further data access.

[Also: The biggest healthcare data breaches of 2018 (so far)]

Through an internal investigation, officials were able to determine an error was made when configuring the server on May 9, 2017, which left documents and copies of identification documents accessible to the internet.

The exposed data included Social Security numbers, insurance cards and drivers licenses, in addition to patient names, addresses, dates of birth, treatment information and the like. This type of data can be used by cybercriminals for identity theft and medical fraud.

The documents stored on the server were from patients who visited BJC between 2003 and 2009. Patients who visited the health system after 2009 weren’t included in the breach. This serves as a reminder for healthcare organizations to be cognizant of what data are stored and connected to the internet.

While the investigation didn’t find evidence of an unauthorized individual accessing the data, access couldn’t be ruled out with a high degree of certainty. As a result, all impacted patients are being offered one year of free credit monitoring.

BJC is reviewing its security policies and procedures and updating these to prevent future incidents.

The St. Louis health system is just the latest in a long list of organizations failing to properly secure or configure online storage buckets. Hundreds of gigabytes of sensitive client and company data at Accenture were breached in October after the company left four of its AWS S3 buckets open to the public.

In one of the largest breaches based on a misconfigured cloud database, 123 million Americans were exposed after data analytics firm Alteryx left its Amazon Web Services S3 cloud storage bucket open to the public.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com