March 4, 2019 — Chicago Tribune: Rush reports data breach involving 45,000 patients
The personal information of about 45,000 Rush patients may have been compromised in a data breach, the health system revealed in a recent financial filing.
The exposed data may include names, addresses, birthdays, Social Security numbers and health insurance information, according to the filing. The data did not include medical information. Rush said that to its knowledge, none of the information had been misused.
The breach is just the latest in what has been a continuing pattern of data security problems at hospitals across the nation. At Rush, an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” likely in May 2018, according to a letter sent to affected patients.
Rush said it discovered the breach Jan. 22. It detailed the breach in a financial filing dated Feb. 12, and it sent letters dated Feb. 25 to affected patients. It took several weeks to send letters to patients because Rush had to review the data and set up a call center to assist patients, among other things, said Deb Song, a spokeswoman for Rush.
Rush is just the latest Illinois health system to deal with an incident related to patient privacy.
In 2016, Advocate Health Care agreed to pay $5.55 million — a record at the time — to settle allegations it violated federal patient privacy law after three separate data breaches involving its physician-led medical group subsidiary, Advocate Medical Group.
The breaches involved the electronic health data of 4 million people that were exposed after a handful of laptops were stolen and an unauthorized third party accessed the network of an Advocate business associate. Advocate did not admit any liability as part of that settlement, though it said at the time, “we deeply regret any inconvenience this incident has caused our patients.”
In 2017, the personal information of as many as 8,862 individuals was compromised after a breach involving Silver Cross Hospital in New Lenox. Silver Cross discovered that year that some patient information may have leaked onto the Internet after a vendor that managed parts of its website upgraded its software.