Notice for Saint Louis University Patients Regarding Privacy Incident
Saint Louis University is committed to maintaining the privacy and confidentiality of our patients' information. Regrettably, this notice concerns an incident involving some of that information.
On August 8, 2013, we discovered that some SLU employees provided their account information in response to a false email they received on July 25, 2013. We immediately launched a full scale investigation, notifying the employees and securing their SLU e-mail accounts. Law enforcement officials have been notified as well.
As the scope of our investigation expanded, we found that the incident also resulted in unauthorized access to a limited number of SLU email accounts that contained patient information for individuals treated by a University physician or were seen at a partner facility. As we examined the contents of the potentially impacted emails, we learned that patient names, Social Security numbers, and limited clinical information (which may include, but is not limited to: diagnoses, procedures, and medical chart information) may have been accessible to the unknown party. It is important to note that the University's Electronic Health Records system was not compromised at any time.
We want to assure our patients that we are taking this matter very seriously. At this time, all evidence suggests that the main target of this scam was the financial information of University employees who received the phishing email. However, the University was unable to confirm whether the unknown party accessed patient information contained in the emails, and therefore, as a precautionary measure, we began sending letters to affected patients on October 7, 2013. We have also established a dedicated call center for patients to call with any questions. If you believe you are affected but have not received a letter by October 25, 2013, please call 877-309-9839 Monday through Friday, between 8 a.m. and 5 p.m. Central Time.
We deeply regret that this incident occurred. In order to prevent such an incident from reoccurring, we are conducting a comprehensive review of our information security practices and procedures, as well as re-educating employees regarding online security awareness.