ST. LOUIS, MO (Dec. 29, 2017) – SSM Health recently discovered that a former employee inappropriately accessed medical records of SSM Health patients between Feb. 13 and Oct. 20, 2017, while he was employed in the customer service call center. The incident constitutes a privacy breach under the federal Health Insurance Portability and Accountability Act (HIPAA).
To perform his job duties, the employee had access to protected health information, including demographic and various types of clinical information. The individual did not have access to any financial information, including credit or debit card numbers.
After learning of the incident on Oct. 30, 2017, SSM Health immediately launched an extensive internal investigation. Consequently, it appears that although the former employee accessed patient information from multiple states, the focus of his illegal activities involved the medical records of a small number of patients with a controlled substance prescription and a primary care physician within the St. Louis area. Out of an abundance of caution, SSM Health is notifying all 29,000 patients whose records were accessed by this individual, even if the access may have been for legitimate job functions. SSM Health has also reported the incident to the Office for Civil Rights and local law enforcement.
As a result of this incident, the organization has taken immediate corrective actions, including requiring an additional identifier when patients request prescription refills from the call center, thoroughly reviewing internal policies and procedures, and further strengthening employee access monitoring tools. In addition, SSM Health will be providing identity theft protection at no charge to affected patients upon their request.
“We take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients,” said Scott Didion, System Privacy Officer, SSM Health.
SSM Health patients who feel they may have been impacted, but do not receive a notification, should call toll-free 1-888-710-9205.