A St. Louis-based health group warned patients on Friday of a security breach that might have affected the privacy of medical records earlier this year.
SSM Health, which operates health-care facilities throughout the St. Louis region, said a former customer service call employee illegally accessed medical records between Feb. 13 and Oct. 20.
The employee’s actions represent a breach of the federal Health Insurance Portability and Accountability Act, commonly known as HIPAA, SSM said in a news release.
Part of the employee’s job was accessing health information, including demographic and clinical information, but the employee never had access to any financial information like credit or debit card numbers.
Never miss a local story.
The company said their former employee was apparently searching medical records for a small number of patients in the St. Louis area who had a prescription for a controlled substance. The employee accessed patient information in multiple states, though it seems the employee focused on patients in St. Louis. The company became aware of the employee’s actions on Oct. 30.
SSM Health said the company is notifying all 29,000 patients whose records were accessed, legitimately or not, by the employee. The company also reported the incident to the Office for Civil Rights as well as local law enforcement.
As an extra precaution, patients must now provide additional identification information when requesting prescription refills from the call center. The company said it is also “thoroughly reviewing internal policies and procedures, and further strengthening employee access monitoring tools.”
SSM Health is also providing free identity theft protection to affected patients upon their request.
Scott Didion, system privacy officer for the company, said they “take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients.”
Patients who feel they might have been impacted but do not receive a notification from the company should call toll-free 1-888-710-9205.