Latest Health Data Breaches News

Billing Error Causes PHI Breach at Illinois Health System

The PHI breach occurred when the information of 1,729 Advocate Aurora Health patients was mailed to the wrong location following a billing error.

Billing Error Causes PHI Breach at Illinois Health System

Source: Getty Images

By Jill McKeon

UPDATED 1/6/2022 

Illinois-based Advocate Aurora Health faced a protected health information (PHI) breach due to a billing error that caused the health information of over 1,600 patients to be mailed to the wrong location, the Chicago Tribune reported. According to the Office for Civil Rights (OCR) data breach portal, the incident impacted a total of 1,729 individuals.

The health system, which contains 26 hospitals and more than 500 care sites across Illinois and Wisconsin, discovered the breach on October 29, 2021.

The billing statements, containing the protected health information of other patients, were addressed to one Advocate Aurora patient and were mailed on July 29, according to the Chicago Tribune. However, the billing statements never reached the destination.

The billing statements included patient names, the provider visited, visit account numbers, and types and dates of healthcare services received.

Advocate Aurora Health has not yet released an official statement on its website, but officials told the Chicago Tribune that all patients have been notified and were offered free credit monitoring.

Advocate Aurora said that the error was caused by an accidental and unnoticed change to an account type in the health system’s billing software. The health system said it was unaware of any misuse as a result of the mailing error, but it will take steps to improve internal processes and security measures.

While ransomware is a widely known threat across the healthcare industry, data theft and loss can be equally detrimental. To combat this, organizations should implement technical and administrative safeguards. 

As cybersecurity incidents become more prevalent, the need for comprehensive cyber incident response plans has grown. 

HIPAA requires organizations to have an incident response plan, but there is no one-size-fits-all approach that can be applied to any organization. Each healthcare organization should implement an incident response plan that reflects their personal needs and resources, and then practice that plan routinely.

Prioritizing cybersecurity, data privacy, and employee education are essential to preventing healthcare data breaches.

Editor's note: Portions of this report have been edited to provide clarity.