Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed

SSM Health St. Mary’s Hospital in Jefferson City, Missouri is informing hundreds of thousands of patients that some of their protected health information has been left unprotected and could potentially have been viewed by unauthorized individuals.

On November 16, 2014, St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility and were secured at all times. However, on June 1, 2018, the hospital discovered many documents containing protected health information had been left behind.

The documents were mostly administrative and operational supporting documents and contained only a limited amount of protected health information. For the majority of patients, the only information that was exposed was their name and medical record number. Some patients also had some clinical data, demographic information, and financial information exposed.

Due to the number of documents involved, the hospital has retained a document services firm to catalogue all the documents and determine which patients have had some of their PHI exposed. It has taken some time for that process to be completed and for St. Mary’s to be provided with a reliable figure of the number of patients affected. The breach report submitted to the Department of Health and Human Services Office for Civil Rights indicates 301,000 patients have had some of their PHI exposed.

Security safeguards and deterrents were in place at the old facility, although after investigating, SSM Health determined that those safeguards were insufficient to ensure the security of patient information and it was not possible to say, with absolute confidence, that the documents were not viewed by unauthorized individuals during the three and a half years when they were inadequately protected.

While the incident constitutes a data breach and warrants notifications to be sent to patients, SSM Health does not believe patients face a significant risk of misuse of their information due to the limited amount of PHI that was exposed and the age of the data.

The hospital has now taken steps to ensure that further privacy breaches do not occur including reviewing and revising policies and procedures for record storage, retention, and destruction.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.