BJC HealthCare data breach of 2020 — 14 hospitals affected
On March 6, 2020 the data breach of an BJC HealthCare’s employee email accounts occurred, and they were accessed by an unauthorized person. BJC released notice to patients on May 5, 2020, specifying that following the discovery of this cyber attach, BJC immediately took steps to secure the email accounts, and engaged a leading computer forensic firm to assist with the investigation. BJC also mailed letters to compromised patients and established a dedicated, toll-free call center to answer patients’ questions.
Through the review BJC identified emails and/or attachments in the accounts that contained patient information. It appears that the data leak may have included some patients’ names, dates of birth, medical record or patient account numbers, and limited treatment and/or clinical information, such as visit dates, provider names, medications, diagnoses, and/or testing information, as well as patients’ Social Security numbers and/or drivers’ license numbers.
This BJC data breach affected the following affiliated hospitals and service organizations:
- Alton Memorial Hospital
- Barnes-Jewish Hospital
- Barnes-Jewish St. Peters Hospital
- Barnes-Jewish West County Hospital
- BJC Corporate Health Services dba BarnesCare
- BJC Medical Group
- Boone Hospital Center
- Christian Hospital
- Missouri Baptist Medical Center
- Missouri Baptist Sullivan Hospital
- Parkland Health Center Farmington
- Parkland Health Center Bonne Terre
- Progress West Hospital
- St. Louis Children’s Hospital
BJC added there was no evidence that any of patient information was actually viewed by the unauthorized person, or that it has been misused. For those patients whose Social Security numbers and/or drivers’ license numbers were compromised, BJC is offering complimentary credit monitoring and identity protection services.
BJC HealthCare cyber attack of 2018 — data lost
On November 19, 2018 a malware attack on BJC Healthcare compromised its online payment portal and affected payment details of 5,850 individuals who entered their payment data between October 25 and November 8, 2018. Personal data of patients could have been acquired, including patients’ names, date of birth and billing account numbers. No Social Security Numbers or medical information were affected.
BJC HealthCare learned about the cyber attack on November 19, 2018. Malicious software was found installed on the website, that intercepted the payment information. The affected patients were notified via email.
“BJC has no indication to date that any information was actually misused. As a precaution, individuals whose payment information may have been exposed are advised to carefully review credit card and bank statements and immediately contact their credit card holder or banking institution about any inconsistencies or suspicious activity.”BJC Healthcare
BJC data breach of 2018 — 33,000 patients affected
Since May 9, 2017 to January 23, 2018 the misconfigured server left confidential information of more than 33,000 patients easily accessible through the Internet for over 8 month. After this data breach BJC Healthcare notified 33,420 patients, all of them were offered one year of free credit monitoring.
The data exposed included Social Security numbers, insurance cards and drivers licenses, as well as patient names, addresses, dates of birth, treatment information. The information is related to patients who visited BJC between 2003 and 2009.
“The BJC investigation did not reveal that any personal data was actually accessed”BJC Healthcare
The server was discovered on January 23, 2018 during a security scan. BJC has reviewed its security policies and procedures.