Rush University Medical Center Data Breach Impacts PHI of 45,000 Patients

Rush University Medical Center is informing roughly 45,000 patients about the exposure of their protected health information (PHI) because of a data incident that happened at a financial services vendor. Rush knew about the incident on January 22, 2019.

It was discovered that one of the financial services vendor’s employee disclosed a document that contains patients’ PHI to an unauthorized third party last May 2018. The file contained patient information that varied from patient to another, which may have included the following: names, addresses, birth dates, medical insurance details, and Social Security numbers. The file did not contain any health data and financial data.

Rush carried out a breach investigation and did not find any evidence that suggest the misuse of patient information. Nevertheless, Rush offered the affected patients identity theft and fraud protections services through membership with the Experian IdentityWorks Credit 3B service.

Affected patients were cautioned to keep track of their insurance explanation of benefits statements and other financial accounts for any indication of fraudulent transaction. Rush sent breach notification by mail to all affected patients on February 25, 2019.

After becoming aware of the breach, Rush terminated its contract with the financial services vendor and reported the breach to law enforcement. The medical center already took steps to avoid the occurrence of similar breaches in the future, by having more oversight of the service vendors, and reviewing and improving upon internal policies and processes for contracting third-party companies.

Rush already reported two privacy breaches in 2019. This is the second incident. The first was in February when Rush sent letters to patients to tell them about a nurse practitioner working at its Epilepsy Center who was retiring. There was an error in the mailing and 908 letters were sent to the wrong recipients.