BJC Health System

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

BJC Health System Data Breach

BJC Health System, a healthcare provider based in Missouri, experienced a significant data breach due to a phishing attack on March 6, 2020. This attack potentially allowed cyber-criminals to access and obtain personally identifiable information (PII) and protected health information (PHI) of BJC’s patients and employees through compromised email accounts[1].

The information potentially compromised included names, dates of birth, medical record or patient account numbers, and limited treatment and clinical information such as diagnosis, medications, provider, type of treatment, and treatment location. Following the incident, lawsuits were filed against BJC Health System, alleging that they failed to take appropriate measures to protect the data from the breach[1].

As a result of the lawsuits, a settlement was reached, which includes payments to individuals who submit valid claims for out-of-pocket expenses and lost time incurred as a result of the data incident. Additionally, the settlement provides two years of credit monitoring and identity theft insurance through IDX for those affected. BJC HealthCare has also agreed to invest $2.7 million into email security, including the implementation of multifactor authentication (MFA) to enhance the protection of patient information[3].

The settlement includes all persons to whom BJC sent notification that their personal information may have been or was exposed to unauthorized third parties as a result of the data incident. The deadline to submit a claim was December 14, 2022, and the final approval hearing for the settlement was on September 6, 2022[1][7].

This data breach was one of several cybersecurity incidents that BJC HealthCare has faced in recent years, including a data server misconfiguration in March 2018 and a hacking of BJC HealthCare’s patient portal in December 2018[3][13].

Citations:

  1. https://bjcdataincident.com
  2. https://www.healthcarefinancenews.com/news/bjc-healthcare-st-lukes-health-system-finalize-merger-agreement
  3. https://healthitsecurity.com/news/data-breach-settlement-bjc-healthcare-agrees-to-put-2.7m-into-email-security
  4. https://www.saintlukeskc.org/about/news/bjc-healthcare-and-saint-lukes-health-system-sign-letter-intent-form-integrated-missouri
  5. https://www.torhoermanlaw.com/bjc-healthcare-security-breach-class-action-lawsuit/
  6. https://www.kcur.org/news/2023-11-29/st-lukes-finalizes-plans-for-10-billion-merger-with-st-louis-health-system
  7. https://www.hipaajournal.com/bjc-healthcare-settles-data-breach-lawsuit-stemming-from-2020-phishing-attack/
  8. https://www.kttn.com/bjc-health-system-and-saint-lukes-health-system-complete-merger/
  9. https://www.bjc.org/news/notice-patients
  10. https://www.stltoday.com/news/local/business/health-care/bjc-gets-green-light-to-combine-with-kansas-city-health-system/article_fbda3180-8eda-11ee-b49f-9318701e3680.html
  11. https://www.scmagazine.com/analysis/bjc-health-to-spend-2-7m-on-email-mfa-access-to-settle-breach-affecting-288k-patients
  12. https://fox2now.com/news/missouri/bjc-healthcare-formalizes-plans-for-merger-with-kc-based-st-lukes-health-system/
  13. https://thehipaaetool.com/bjc-healthcare-settles-class-action-data-breach-lawsuit/
  14. https://www.nhl.com/blues/news/blues-bjc-washu-orthopedics-announce-sponsorship-extension
  15. https://www.beckershospitalreview.com/cybersecurity/bjc-healthcare-notifies-patients-of-data-breach.html
  16. https://www.bizjournals.com/stlouis/news/2023/11/29/saint-lukes-bjc-health-merger-definitive-agreement.html
Breach Submission Date May 27, 2022
Converted Entity Name BJC Health System
Converted Entity Type Business Associate
State MO
Individuals Affected 500
Breach Type Hacking/IT Incident

Breach Information Location Email

Business Associate Present Yes