SSM Health has revealed a data breach that compromised the protected health information of 29,000 patients. The system said they learned of the breach on October 30, after discovering recently that a former employee inappropriately accessed medical records while working in the customer service call center.
The breach occurred between Feb. 13 and Oct. 20, 2017, and included demographic and various types of clinical information. The individual did not have access to any financial information, including credit or debit card numbers, SSM said.
After launching an internal investigation, SSM concluded that although the former employee accessed patient information from multiple states, it appeared his goal was to gain access to the medical records of a few particular patients who had a controlled substance prescription and a primary care physician within the St. Louis area.
"Out of an abundance of caution, SSM Health is notifying all 29,000 patients whose records were accessed by this individual, even if the access may have been for legitimate job functions. SSM Health has also reported the incident to the Office for Civil Rights and local law enforcement," the system said.
SSM has also undertaken corrective actions that include the new requirement of an additional identifier when patients request prescription refills from the call center, an in-depth review of internal policies and procedures, and strengthening employee access monitoring tools.
SSM will also provide identity theft protection at no cost to affected patients when requested.
Data breaches seemed to reach a fever pitch in 2017, with many experts designating healthcare as the most attacked industry by cybercriminals. Moreover, experts also forecasted that the problem would get worse in 2018, now that hackers are fully aware of the value of healthcare information. Despite the circumstances in this case pointing to a more locally purposed invasion, were the perpetrator so inclined, there are plenty of predators out there who would be happy to get their hands on 29,000 sets of protected health information. Healthcare providers must take care to ensure that their system is capable of monitoring suspicious activity, and that there are sufficient safeguards in place to avoid abuse of that information.