29,000 Patients Notified of Employee-Related Data Breach at SSM Health

The St. Louis, MO-based not-for-profit health system SSM Health has discovered a former employee has been accessing the health records of patients without any legitimate work reason for doing so for 8 months.

The former employee worked in SSM Health’s customer service call center, and as such, did not have access to financial information, only demographic, health, and clinical information.

The improper access was detected by SSM health on October 30, prompting a thorough investigation to determine the records that had been accessed and which patients were potentially at risk. The investigation revealed the records of patients in multiple states were accessed by the employee between February 13 and October 20, 2017.

The employee was primarily interested in the records of patients of a primary care physician in the St. Louis area, specifically patients who had been prescribed a controlled substance. While that subset of patients was relatively small, it was not possible to determine the full scope of the privacy breach, so SSM Health took the decision to notify all patients whose records had been accessed by the former employee. In many cases, that access will have been for legitimate work purposes.

In total, 29,000 patients have been notified of the incident and warned that their protected health information may have been improperly accessed and could potentially have been misused. Those patients have been offered identity theft protection services without charge.

SSM Health has also changed its procedures to require an additional identifier to be used when patients request prescription refills via its call center. Internal policies and procedures have been reviewed and employee access monitoring tools have been strengthened to ensure any future illegal employee activity is identified more rapidly.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights and law enforcement has been notified.

SSM Health privacy officer, Scott Didion, said, “We take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients.”

This is the second incident to be reported by SSM Health this year. In May, SSM Health reported that an electromyography device containing the PHI of 836 patients had been stolen from DePaul Hospital St Louis in Bridgeton, MO.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.