DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Rush University notifies 45,000 patients after discovering insider wrongdoing at claims processing vendor

Posted on March 5, 2019 by Dissent

Last month,  Rush University Hospital notified HHS of a breach that they reportedly discovered in December. The breach,  affecting 908 patients, was coded as an Unauthorized Access/Disclosure incident with data located in paper/film format.  At the time, Becker’s Spine Review reported that the incident was a mailing mix-up:

According to the letter sent to affected patients, Rush discovered the incident Dec. 21, 2018.

Rush found that some letters to patients notifying them of the retirement of a certified nurse practitioner may have included the name of the wrong individual in the greeting/salutation.

Less than one month later, it appears that Rush  also had 45,000 other patients to notify last month in a much bigger incident. Lisa Schencker of the Chicago Tribune reports:

The personal information of about 45,000 Rush patients may have been compromised in a data breach, the health system revealed in a recent financial filing.

The exposed data may include names, addresses, birthdays, Social Security numbers and health insurance information, according to the filing. The data did not include medical information. Rush said that to its knowledge, none of the information had been misused.

In this incident, it appears that “an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” likely in May 2018, according to a letter sent to affected patients.”  The vendor was not identified.

The breach was reportedly discovered on Jan. 22. Letters were sent to affected patients on February 25, and the hospital suspended its contract with the claims processing vendor.  According to an FAQ on the incident,  in response to the incident:

After our discovery of the incident, we launched an internal investigation and suspended our contract with the financial claims vendor. Additionally, we are reviewing our internal procedures and contracting processes to help prevent this type of incident from happening in the future. We are also increasing our internal awareness of service vendors and reviewing processes for working with third-party firms.

The following is the statement on Rush’s web site, dated February 28, 2019:

Patients Who Received a Notification Letter About Information Improperly Disclosed by a Claims Processing Vendor

Posted Feb. 28, 2019

Rush discovered on January 22, 2019, that an employee of one of our claims processing vendors improperly disclosed a file containing certain patient information to an unauthorized party.

Though the shared information varies by individual, it may include the patient’s name, address, date of birth, social security number and insurance information.

After the discovery, we launched an internal investigation during which we did not find any evidence of any unauthorized access to any of Rush’s internal computer systems or network. Additionally, medical history, treatment, diagnosis or other patient information was not affected, and personal financial information was not shared.

We have attempted to directly notify all patients whose information may have been affected. Law enforcement and regulatory officials also have been notified.

Additional details are available here. We have set up a dedicated call center to answer any questions you might have. To speak to a representative, please call (833) 231-3355 between 8 a.m. to 5:30 p.m. Central Time, Monday through Friday.

Category: Health DataInsiderSubcontractorU.S.

Post navigation

← Million-plus Israeli websites target of ransomware hack
Hackers Sell Access to Bait-and-Switch Empire →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.