Third-party vendor for Rush Health causes breach affecting 45K

Rush Health is notifying about 45,000 patients after an employee of a third-party vendor improperly disclosed a file containing patient information.

Rush, a three-hospital delivery system serving Chicagoland, learned of the breach on January 22, and later learned that the disclosure likely occurred the previous May.

The compromised patient information included patient names, addresses, dates of birth and insurance information. More sensitive data such as treatments, diagnoses and personal financial information were not included in the disclosure of information to an unauthorized person, the organization told patients in the notification letter.

Also See: Bitglass blames hacking, IT incidents as main reasons for breaches

“After our discovery of the incident, we launched an internal investigation and suspended our contract with the financial claims vendor,” the notification letter explained. “Additionally, we are reviewing our internal procedures and contracting processes to help prevent this type of incident from happening in the future. We are also increasing our internal awareness of service vendors and reviewing processes for working with third-party firms.”

Rush is offering affected individuals one year of credit monitoring and identity protection services from Experian. Patients also were provided with comprehensive information on how to protect their credit and place a fraud alert on the credit report. Andy Reeder, associate vice president and the HIPAA privacy and security officer at Rush, expressed regret for any concern the incident may cause.