An American health care system is notifying 29,000 patients of a privacy breach that might have exposed their medical records.
On 29 December 2017, SSM Health published a statement about a security incident it had learned about two months earlier. The not-for-profit organization, which employs 1,600 physicians and 33,000 other individuals in Wisconsin, Oklahoma, Illinois, and Missouri, launched an investigation to determine what had happened. Its analysis revealed that a former employee at a customer care call center had inappropriately accessed protected health information (PHI), specifically medical records belonging to a small number of patients who had a controlled substance prescription and a primary care physician in St. Louis.
The statement clarifies that the employee had access to PHI, including demographic and clinical information, in order to perform the duties of his job.
It’s believed the event, which classifies as a privacy breach under the Health Insurance Portability and Accountability Act (HIPAA), first started on 13 February of 2017.
SSM Health is currently in the process of notifying all 29,000 patients whose information the former employee might have accessed. Those victims can take advantage of identity theft protection services offered to them by SSM Health at no cost. Additionally, while it works with the Office for Civil Rights and local law enforcement to better understand what happened, the provider is taking steps to better secure its systems and monitor employee access.
Scott Didion, system privacy officer at SSM Health, has apologized to all those whom the incident might have affected:
We take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients.
In an age of insider threats and other digital security risks, it’s important that companies take the necessary steps to maintain the security and integrity of their electronic medical record (EMR) systems.