SSM Health’s Former Employee Got Illegal Access to Sensitive Information of 29,000 Patients


The non-profit health system SSM Health based in St. Louis, MO discovered the unauthorized access of patient health records by a former employee. The former employee was part of SSM Health’s customer service call center. His access to information was limited to demographic, health and clinical information only. He did not have access to patients’ financial information.

SSM Health discovered the unauthorized access on October 30, 2017. As a response, all records were investigated to see which patients’ information were exposed and at risk. It was found out that patients in multiple states were impacted. Records of the patients were accessed by the former employee from February 13 to October 20, 2017.

The investigation also revealed that the employee specifically accessed the records of patients consulting a primary care physician in the St. Louis area. He was looking for patients who were prescribed a controlled substance. There were only a small number of patients that fit the bill, but it’s impossible to know the real scope of the privacy breach. Hence, SSM Health simply notified all patients impacted by the former employees’ wrongdoing. 29,000 employees were given warning that their protected health information were accessed and could be misused. SSM Health also offered the patients free identity theft protection services.

In addition, SSM Health required an additional identifier when patients request the call center for prescription refills. The entity also reviewed the effectiveness of all internal policies and procedures. There were monitoring tools installed to check employees accessing the system and make sure the rapid identification of illegal employee activities.

SSM Health already reported the breach to the Department of Health and Human Services’ Office for Civil Rights and law enforcement. This incident is the second that happened to SSM Health in 2017. The first one happened in May when an electromyography device was stolen. The device contained the PHI of 836 patients from DePaul Hospital St. Louis in Bridgeton, MO.