HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals

BJC Healthcare has announced that the email accounts of three of its employees have been accessed by an unauthorized individual after the employees responded to phishing emails.

Suspicious activity was detected in the email accounts on March 6, 2020 and the accounts were immediately secured. A leading computer forensics firm was engaged to conduct an investigation which revealed the three accounts had only been accessed for a limited period of time on March 6. It was not possible to tell if patient data was viewed or obtained by the attacker.

A review of the accounts revealed they contained the data of patients at 19 BJC and affiliated hospitals. Protected health information in emails and attachments varied from patient to patient and may have included the following data elements:

Patients’ names, medical record numbers, patient account numbers, dates of birth, and limited treatment and/or clinical information, which included provider names, visit dates, medications, diagnoses, and testing information. The health insurance information, Social Security numbers, and driver’s license numbers of certain patients were also potentially compromised.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All patients affected by the breach will be notified by mail when the email account review is completed. Patients whose driver’s license or Social Security number has potentially been compromised will be offered complimentary credit monitoring and identity theft protection services.

BJC HealthCare said additional security measures will be implemented to prevent incidents such as this in the future and staff will be retrained to help them identify and avoid suspicious emails.

The following BJC HealthCare and affiliated hospitals were affected by the breach:

  • Alton Memorial Hospital
  • Barnes-Jewish Hospital
  • Barnes-Jewish St. Peters Hospital
  • Barnes-Jewish West County Hospital
  • BJC Behavioral Health
  • BJC Corporate Health Services
  • BJC Home Care
  • BJC Medical Group
  • Boone Hospital Center
  • Christian Hospital
  • Memorial Hospital Belleville
  • Memorial Hospital East
  • Missouri Baptist Medical Center
  • Missouri Baptist Physician Services, LLC
  • Missouri Baptist Sullivan Hospital
  • Parkland Health Center Boone Terre
  • Parkland Health Center Farmington
  • Progress West Hospital
  • Louis Children’s Hospital

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.