The exposed data may include names, addresses, birthdays, Social Security numbers and health insurance information, according to the filing. The data did not include medical information. Rush said that to its knowledge, none of the information had been misused.
The breach is just the latest in what has been a continuing pattern of data security problems at hospitals across the nation. At Rush, an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” likely in May 2018, according to a letter sent to affected patients.
Rush said it discovered the breach Jan. 22. It detailed the breach in a financial filing dated Feb. 12, and it sent letters dated Feb. 25 to affected patients. It took several weeks to send letters to patients because Rush had to review the data and set up a call center to assist patients, among other things, said Deb Song, a spokeswoman for Rush.
“It is a matter that we do take very seriously,” she said.
After it discovered the breach, Rush launched an internal investigation and suspended its contract with the vendor. Rush said it also was reviewing its internal procedures and contracting processes.
The health system is offering affected patients a free one-year membership to an identity protection service. It also recommends affected patients check their credit reports and financial accounts for suspicious activity, review their explanations of benefits documents from health insurers, and understand that they have the option of freezing their credit.
Patients may call 833-231-3355 for more information. Rush has three hospitals: Rush University Medical Center in Chicago, Rush Oak Park Hospital and Rush Copley Medical Center in Aurora.
It is at least the second privacy-related incident reported by Rush this year. In February, Rush University Medical Center reported that letters notifying patients of the retirement of a nurse practitioner at the Epilepsy Center were addressed incorrectly. The envelopes were marked with the names of certain patients but sent to different patients’ addresses. That incident affected 908 patients, according to the U.S. Department for Health and Human Services Office for Civil Rights.
Across the country, many health systems have been involved in data breaches. At least 57 incidents involving at least 500 patients have been submitted to the U.S. Department of Health and Human Services’ Office for Civil Rights so far this year. That office is tasked with investigating such breaches and may levy fines against health systems, depending on a breach’s severity, said Rachel Patrizzo, vice president of cyberliability underwriting with TDC Specialty Underwriters, a subsidiary of The Doctors Company, which sells medical malpractice insurance.
Health systems must report breaches of protected health information involving 500 or more individuals to the Office for Civil Rights, which posts reports on a public website, nicknamed the Wall of Shame. Recently, UConn Health in Connecticut reported a breach affecting more than 326,000 individuals.
Though many incidents stem from human error, others are the result of hackers or theft. Health systems can be an attractive target for hackers because they keep so much valuable personal data and because there are so many entry points into them, Patrizzo said.
“Certainly, the malicious attacks are on the rise and they get the most publicity and they scare us the most, but personal errors and human errors are just inevitable,” she said.
Some health care systems may not be investing as much in cybersecurity as other industries, said Sean Curran, senior director of cybersecurity at West Monroe Partners, a management consulting firm. Some cash-strapped health systems would rather use the money on patient care than data protection, he said.
Rush is just the latest Illinois health system to deal with an incident related to patient privacy.
In 2016, Advocate Health Care agreed to pay $5.55 million — a record at the time — to settle allegations it violated federal patient privacy law after three separate data breaches involving its physician-led medical group subsidiary, Advocate Medical Group.
The breaches involved the electronic health data of 4 million people that were exposed after a handful of laptops were stolen and an unauthorized third party accessed the network of an Advocate business associate. Advocate did not admit any liability as part of that settlement, though it said at the time, “we deeply regret any inconvenience this incident has caused our patients.”
In 2017, the personal information of as many as 8,862 individuals was compromised after a breach involving Silver Cross Hospital in New Lenox. Silver Cross discovered that year that some patient information may have leaked onto the Internet after a vendor that managed parts of its website upgraded its software.
The report of the data breach comes as Rush also recently disclosed that it potentially received $10.8 million in overpayments from the federal government over a four-year period related to admissions to Rush University Medical Center’s Inpatient Rehabilitation Facility. Rush self-reported that information to the federal government, Song said.
Rush is working with the federal government to determine the exact amount Rush may owe, she said.
In 2017, the U.S. Department of Health and Human Services’ Office of Inspector General conducted a review of Rush and found that the system owed it $10.2 million because of overpayments — which Rush denied. The government has already taken that money back, Song said, though she said Rush is still working with the government to get that number adjusted.
©2019 Chicago Tribune. Distributed by Tribune Content Agency, LLC.