SSM Health is reviewing its security procedures after discovering that a former employee with its customer service call center inappropriately accessed patient medical records between Feb. 13 and Oct. 20, 2017.
The health care system is notifying all patients whose records were accessed by the employee — about 29,000 people in multiple states — even if the access appears to have been legitimate, SSM officials said in a statement released last week. An internal investigation found that the employee’s illegal activities focused on the records of a small number of patients with controlled substance prescriptions — and a primary care physician in the St. Louis area.
The employee had access to health information, including demographic and clinical information, but did not have access to financial information, such as credit or debit card numbers. SSM reported the breach to local law enforcement and the Office for Civil Rights. Patient records are protected by the federal Health Insurance Portability and Accountability Act.
SSM will now require an additional identifier when patients request prescription refills from its call center, and it will strengthen employee access monitoring tools, the statement said. Affected patients can request identity theft protection at no charge. Patients who did not receive a notification but believe they might be affected can call 1-888-710-9205.
“We take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients,” said Scott Didion, SSM’s system privacy officer, in the statement.
SSM operates 20 hospitals and 63 outpatient care sites in Missouri, Illinois, Oklahoma and Wisconsin.
Follow Mary Delach Leonard on Twitter: @marydleonard