- The personal information of about 45,000 Rush University Medical Center patients was recently compromised, after an employee of its claims processing vendor improperly disclosed a patient file to an unauthorized individual.
The incident was outlined in Rush Medical’s quarterly operations report. The vendor notified the medical center of the security incident on January 22. Officials said they launched their own investigation and review into the breach.
Officials determined the file exfiltrated by the employee contained patient names, Social Security numbers, addresses, dates of birth, and health insurance information. No medical data or treatment information was included in the compromised file.
Upon discovery, Rush Medical suspended the contract with the vendor, with which the medical center has a business associate agreement. Officials said they’re reviewing the vendor’s “existing indemnification obligations” and other defenses.
Further, officials have since taken steps with all of their vendors to prevent a recurrence.
“The cause of this incident was not internal to Rush, but due to an external party,” officials said in a statement. “Although Rush is not aware of any misuse of any information arising out of this incident, we are providing notice of the incident to all potentially affected individuals.”
Rush Medical also provided notice to the Department of Health and Human Services, Office for Civil Rights, and applicable state regulators as of February 12. All patients will receive a year of identity protection services.
This is Rush’s second breach notification this year. About 900 patients were recently notified of a mailing error that potentially compromised their personal information. According to the notice, some letters to patients informing them of a Rush Medical nurse practitioner’s retirement may have included the wrong individual on the outer envelope.
The healthcare sector continues to struggle with both third-party vendor breaches and insider wrongdoing. Protenus’ 2018 breach barometer found that 28 percent of last year’s breaches were caused by insider wrongdoing.
Most recently, Kentucky Counseling Center notified 16,440 patients that their personal information was exfiltrated by an employee and later shared with a former staff member.