BJC Health System
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
BJC Health System Data Breach
BJC Health System, a healthcare provider based in Missouri, experienced a significant data breach due to a phishing attack on March 6, 2020. This attack potentially allowed cyber-criminals to access and obtain personally identifiable information (PII) and protected health information (PHI) of BJC’s patients and employees through compromised email accounts[1].
The information potentially compromised included names, dates of birth, medical record or patient account numbers, and limited treatment and clinical information such as diagnosis, medications, provider, type of treatment, and treatment location. Following the incident, lawsuits were filed against BJC Health System, alleging that they failed to take appropriate measures to protect the data from the breach[1].
As a result of the lawsuits, a settlement was reached, which includes payments to individuals who submit valid claims for out-of-pocket expenses and lost time incurred as a result of the data incident. Additionally, the settlement provides two years of credit monitoring and identity theft insurance through IDX for those affected. BJC HealthCare has also agreed to invest $2.7 million into email security, including the implementation of multifactor authentication (MFA) to enhance the protection of patient information[3].
The settlement includes all persons to whom BJC sent notification that their personal information may have been or was exposed to unauthorized third parties as a result of the data incident. The deadline to submit a claim was December 14, 2022, and the final approval hearing for the settlement was on September 6, 2022[1][7].
This data breach was one of several cybersecurity incidents that BJC HealthCare has faced in recent years, including a data server misconfiguration in March 2018 and a hacking of BJC HealthCare’s patient portal in December 2018[3][13].
Citations:
- https://bjcdataincident.com
- https://www.healthcarefinancenews.com/news/bjc-healthcare-st-lukes-health-system-finalize-merger-agreement
- https://healthitsecurity.com/news/data-breach-settlement-bjc-healthcare-agrees-to-put-2.7m-into-email-security
- https://www.saintlukeskc.org/about/news/bjc-healthcare-and-saint-lukes-health-system-sign-letter-intent-form-integrated-missouri
- https://www.torhoermanlaw.com/bjc-healthcare-security-breach-class-action-lawsuit/
- https://www.kcur.org/news/2023-11-29/st-lukes-finalizes-plans-for-10-billion-merger-with-st-louis-health-system
- https://www.hipaajournal.com/bjc-healthcare-settles-data-breach-lawsuit-stemming-from-2020-phishing-attack/
- https://www.kttn.com/bjc-health-system-and-saint-lukes-health-system-complete-merger/
- https://www.bjc.org/news/notice-patients
- https://www.stltoday.com/news/local/business/health-care/bjc-gets-green-light-to-combine-with-kansas-city-health-system/article_fbda3180-8eda-11ee-b49f-9318701e3680.html
- https://www.scmagazine.com/analysis/bjc-health-to-spend-2-7m-on-email-mfa-access-to-settle-breach-affecting-288k-patients
- https://fox2now.com/news/missouri/bjc-healthcare-formalizes-plans-for-merger-with-kc-based-st-lukes-health-system/
- https://thehipaaetool.com/bjc-healthcare-settles-class-action-data-breach-lawsuit/
- https://www.nhl.com/blues/news/blues-bjc-washu-orthopedics-announce-sponsorship-extension
- https://www.beckershospitalreview.com/cybersecurity/bjc-healthcare-notifies-patients-of-data-breach.html
- https://www.bizjournals.com/stlouis/news/2023/11/29/saint-lukes-bjc-health-merger-definitive-agreement.html