Last month, Rush University Hospital notified HHS of a breach that they reportedly discovered in December. The breach, affecting 908 patients, was coded as an Unauthorized Access/Disclosure incident with data located in paper/film format. At the time, Becker’s Spine Review reported that the incident was a mailing mix-up:
According to the letter sent to affected patients, Rush discovered the incident Dec. 21, 2018.
Rush found that some letters to patients notifying them of the retirement of a certified nurse practitioner may have included the name of the wrong individual in the greeting/salutation.
Less than one month later, it appears that Rush also had 45,000 other patients to notify last month in a much bigger incident. Lisa Schencker of the Chicago Tribune reports:
The personal information of about 45,000 Rush patients may have been compromised in a data breach, the health system revealed in a recent financial filing.
The exposed data may include names, addresses, birthdays, Social Security numbers and health insurance information, according to the filing. The data did not include medical information. Rush said that to its knowledge, none of the information had been misused.
In this incident, it appears that “an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” likely in May 2018, according to a letter sent to affected patients.” The vendor was not identified.
The breach was reportedly discovered on Jan. 22. Letters were sent to affected patients on February 25, and the hospital suspended its contract with the claims processing vendor. According to an FAQ on the incident, in response to the incident:
After our discovery of the incident, we launched an internal investigation and suspended our contract with the financial claims vendor. Additionally, we are reviewing our internal procedures and contracting processes to help prevent this type of incident from happening in the future. We are also increasing our internal awareness of service vendors and reviewing processes for working with third-party firms.
The following is the statement on Rush’s web site, dated February 28, 2019:
Patients Who Received a Notification Letter About Information Improperly Disclosed by a Claims Processing Vendor
Posted Feb. 28, 2019
Rush discovered on January 22, 2019, that an employee of one of our claims processing vendors improperly disclosed a file containing certain patient information to an unauthorized party.
Though the shared information varies by individual, it may include the patient’s name, address, date of birth, social security number and insurance information.
After the discovery, we launched an internal investigation during which we did not find any evidence of any unauthorized access to any of Rush’s internal computer systems or network. Additionally, medical history, treatment, diagnosis or other patient information was not affected, and personal financial information was not shared.
We have attempted to directly notify all patients whose information may have been affected. Law enforcement and regulatory officials also have been notified.
Additional details are available here. We have set up a dedicated call center to answer any questions you might have. To speak to a representative, please call (833) 231-3355 between 8 a.m. to 5:30 p.m. Central Time, Monday through Friday.