Frequently Asked Questions
1. What happened?
On June 1, 2018, we were notified that documents and other materials containing patient information were left at the former SSM Health St. Mary’s Hospital – Jefferson City campus when it was vacated in late 2014. We launched an immediate search and found dozens of boxes, binders and other items that contained patient information in isolated locations at the former hospital campus. This information appeared to be comprised of items that would not be needed at the new hospital location and should have been shredded or otherwise disposed of properly.
2. What did you do with the items you discovered?
Upon learning of this incident, we immediately recovered the items and transferred them to a secure location on the new hospital campus. A comprehensive review of the recovered information is underway, and the hospital has also retained a document services firm to assist in cataloging all recovered documents.
3. When did it happen?
Based on our investigation, the items were present on the former hospital campus from November 16, 2014, until the last of the recovered documents were secured on June 29th, 2018.
4. When did SSM learn about this?
We first learned that records containing patient information were left at the former hospital campus on June 1, 2018. Upon learning this information, we promptly secured the information and opened an internal investigation.
5. How did SSM find out about this initially?
A member of the community working at the vacated site notified a former employee who in turn reported to management. Upon receiving the report, hospital management immediately validated the information and secured the information.
6. Why did you not tell me about this sooner?
Upon learning of the incident, we began a thorough investigation to determine the full nature and extent of the incident and the information involved. We promptly retained the services of a document services firm to scan the documents into electronic format and to catalog the information in the documents. Given the nature and scope of the items and our desire to carefully and accurately identify all of the patient information present in the documents, these are very time-consuming tasks that may take months to complete. We are working as diligently as we can under the circumstances.
7. What information was accessible?
For most individuals impacted by this incident, the type of information that remained at the old facility largely consisted of administrative and operational supporting documents for various departments. The information included demographic, financial, and/or clinical data, but in most instances involved very limited items of information such as name or medical record number alone. For a subset of individuals impacted by this incident the information included full social security number and limited medical history information. The information did not include formal medical records, which were safely and securely transferred prior to the move to the new facility on November 16, 2014.
8. How do I know what type of information of mine was accessible?
If you received a letter regarding this incident, we have confirmed that your information was involved. If you did not receive a letter, then either your information was not involved or we have not yet been able to confirm that your information was involved. Because of the complexity and scope of the information and the tedious nature of the review process, it may be a few months before we are able to verify with certainty all of the specific information involved, however, I can assure you regardless of the type of information, all documents and materials containing identifiable information is now secured.
9. Is my information still at risk?
All of the information found at the former hospital location has been secured and is no longer at risk. Given the nature of the information and the fact that it was found in isolated locations at the former hospital location, SSM believes that the items were never at significant risk. However, SSM chose, out of an abundance of caution, to notify all patients whose information was recovered from the facility.
10. How many people were affected by this incident?
Because of the ongoing nature of the document review process, we do not know with certainty the number of individuals affected by this incident.
11. What has SSM done in response to this incident?
In addition to notifying patients of the incident, SSM has also notified the Jefferson Tribune and the United States Department of Health and Human Services Office of Civil Rights, consistent with its obligations under HIPAA. SSM is also considering several corrective actions steps to prevent a similar incident from occurring in the future, including reviewing and revising its policies and procedures regarding proper record storage, retention and destruction, as necessary.
12. Is there anything I should be doing to protect myself?
We believe that the risk to your information has been mitigated and that you do not need to take additional steps to protect yourself. However, if you are concerned about identity theft, there are some steps you can take at any time to monitor against fraud. You may place a free 90-day fraud alert, which will help prevent someone from opening new accounts in your name. It is the best line of defense available to all consumers. Fraud alerts will not affect the use of credit cards; however, they will slow down the process for new credit applications. This helps to ensure that any new extensions for credit are granted only with your permission. You can place a free fraud alert by calling Experian at 1-877-870-5640
SSM also is willing to offer you identity theft protection services through ID Experts. ID Experts fully managed recovery services will include: 24 months of Single Bureau Credit Monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and complete access to their fraud resolution representatives. With this protection, ID Experts will work on your behalf to resolve issues if your identity is compromised.
13. Is SSM offering credit monitoring as a result of this incident?
SSM is willing to offer you identity theft protection services through ID Experts, the data breach and recovery services expert, to provide you with MyIDCare. ID Experts fully managed recovery services will include: 24 months of Single Bureau Credit Monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and complete access to their fraud resolution representatives. With this protection, ID Experts will work on your behalf to resolve issues if your identity is compromised. If you would you like to enroll in this service you may call (888) 648-8404.