Data Breach at Rush University Medical Center Affects 45,000 Patients
Rush University Medical Center has announced that a data breach incident at a financial services vendor has compromised the PHI of 45,000 of their patients.
The financial services vendor informed Rush of the incident on January 22, 2019. A member of staff at the vendor was caught sharing a file containing patient PHI with an unauthorised individual in May 2018. Rush has stated that the types of information that individual accessed may include incorporated names, home addresses, dates of birth, health insurance data and Social Security numbers. The amount of information compromised varies from patient to patient.
Rush launched an investigation into the scope of the breach. They have stated that they have not seen any evidence to suggest the unauthorised individual is misusing patient information. However, out of an abidance of caution, Rush has offered affected patients free membership to the Experian IdentityWorks Credit 3B service to safeguard against identity theft and fraud.
Rush recommends affected individuals monitor their financial accounts and explanation of benefits statements from their insurance companies as a sign of fraudulent activity. Any suspicious activity should be reported to the relevant authorities.
Following HIPAA’s Breach Notification Rule, Rush sent breach notification letters to all affected patients on February 25, 2019.
Rush suspended its contract with the financial services vendor and informed law enforcement of the incident. Rush has stated that it has taken steps to prevent similar breaches from happening going forward. These measures include increased oversight of service vendors, and reviewing and strengthening internal policies, processes, and procedures for contracting external companies.
This incident is the second privacy violation report to be submitted by Rush in 2019. In February, patients were issued letters to advise them about the retirement of a nurse practitioner at its Epilepsy Center; however, a mistake in the mailing lead to 908 letters being sent to incorrect recipients.