Rush University Medical Center is contacting around 45,000 patients to advise them that their PHI has been exposed due to a data incident at a financial services vendor. Rush discovered the incident on January 22, 2019.
A member of staff of the financial services vendor was found to have shared a file containing patients’ PHI to an unauthorized third party in May 2018. The sort of information in the file varied from patient to patient and may have incorporated names, home addresses, dates of birth, health insurance data and Social Security numbers. No health information was included in the file and financial data was not accessed.
Rush completed a review into the breach and while no evidence was found to suggest patient information had been improperly used, impacted patients have been offered free membership to the Experian IdentityWorks Credit 3B service to safeguard against identity theft and fraud as a precautionary measure.
Impacted patients have been told to monitor their financial accounts and explanation of benefits statements from their insurance companies as a sign of fraudulent activity. All impacted patients were alerted about the breach by mail on February 25, 2019.
After identifying the breach, Rush suspended its contract with the financial services vendor and the incident has been made known to law enforcement. Steps have now been taken to stop similar breaches from happening going forward, including increasing oversight of service vendors, and reviewing and strengthening internal policies, processes, and procedures for contracting external companies.
This is the second privacy violation report to be submitted by Rush in 2019. In February, patients were issued letters to advise them about the retirement of a nurse practitioner at its Epilepsy Center; however, a mistake in the mailing lead to 908 letters being sent to incorrect recipients.