SSM Health Breach Impacts PHI of 300,000 Patients


Approximately 300,000 patients from SSM Health St. Mary’s Hospital based in Jefferson City, Missouri were advised about the exposure of some of their protected health information (PHI) and the potential access of unauthorized individuals.

St. Mary’s Hospital transferred to a new space on November 16, 2014. All the patient health records were also transported and kept safe. However on June 1, 2018, the hospital learned that a lot of documents containing PHI were still left in the old premises.

The potentially compromised records contained only a partial quantity of PHI. Lots of patients simply had their medical record numbers and names compromised. Some patients had their clinical data, demographic details, and financial information exposed.

Due to the big number of documents involved, the hospital asked a document services firm to examine all the files and identify the patients whose PHI was compromised. The firm took quite a while to finish the process before being able to give St. Mary’s the details on the quantity of patients affected by the data breach. The hospital reported the breach to the Department of Health and Human Services Office for Civil Rights with the information that approximately 301,000 patients’ PHI were affected.

Safety controls were established at the old premises, however the investigation revealed that SSM Health’s safety measures were not adequate to entirely protect patient data. It can’t be claimed with complete confidence that no unauthorized individuals accessed the documents in the past three and a half years that they weren’t completely protected.

Though the ıncident was regarded as a data breach and notifying patient is necessary, SSM Health says that there was no substantial risk of improper use of the patients’ data since only a limited number of PHI was compromised and the validity of the data.

The hospital by now had taken the appropriate actions to make certain that privacy breaches never happen once more down the road. The policies and procedures about the storage, maintenance, and discarding of healthcare records were evaluated and adjusted as necessary.