Rush University Data Breach Exposes Personal Information of 45,000 Patients

All posts

A recent spate of major healthcare industry data breaches continued this month, this time here in LogicGate’s hometown of Chicago.

A spokesperson for Rush University Health System—which oversees 30 locations in the Greater Chicagoland area—said a claims-processing vendor shared a file containing patient information with another, unauthorized third party. The breach exposed the personal information of approximately 45,000 patients.

In a financial filing, Rush disclosed that it learned of the data breach on January 22 of this year, although the breach itself actually occurred in May of 2018. Law enforcement and regulatory officials were notified at the time.

According to a statement issued by spokeswoman Deb Song, the breach involved “limited personal information” about patients, including patient addresses, dates of birth, social security numbers, and insurance information. It did not include medical history, treatment, diagnosis, or personal financial information.

The Rush Response

In addition to notifying the proper authorities, Rush officials say that all affected patients have been contacted. The hospital also offered them one year of free identity protection and set up a toll-free dedicated call center to address concerns. It further recommended that patients check their credit reports, review their benefit plans with health insurers, and consider freezing their accounts.

Rush launched an internal investigation immediately after the discovery of the breach. While the investigation is ongoing, officials say the information was not misused in any way and no evidence of unauthorized access to internal computers or network has been uncovered. The hospital suspended its contract with the claims-processing vendor and launched an internal review of its contracting processes.

“Although Rush is not aware of any misuse of information arising out of this incident, we are providing notice of the incident to all potentially affected individuals as well as providing notice to the Department of Health and Human Services of Civil Rights,” the quarterly report said. “Rush has taken steps relative to its vendors to help prevent this type of incident from happening in the future.”

Part of a Trend

The Rush breach is just the latest in an ongoing trend of data security problems at hospitals across the nation. Hospitals, universities, and healthcare providers in general deal with high volumes of personal information, and the consequences for security lapses are severe.

The announcement from Rush comes on the heels of large-scale breach announcements from at least two other major university health systems. Also in February, Seattle-based UW Medicine said it was notifying close to 1 million patients that their protected health information had been exposed on the internet for three weeks. In December, UConn Health revealed an "unauthorized third party" illegally accessed employee email accounts that contained patient information including the dates of birth, addresses, and even Social Security numbers of more than 326,000 individuals.

Third Party Failures

The healthcare industry’s attack surface is growing due to the number of third-party providers that hospitals and universities do business with. In 2018, healthcare data breaches involving third-party vendors affected 5.3 million patient records (out of a total of 15 million patient records breached), according to a Protenus 2019 cybersecurity report.

These incidents reveal the risks companies take on when their sensitive data is used by third parties. Without strong oversight and controls frameworks, healthcare companies face legal consequences, millions of dollars in fines, and, most dangerous, the risk that sensitive patient data could fall into the wrong hands.

The Right Technology to Reverse the Trend

In its defense, Rush handled the situation responsibly. It was right to notify the proper authorities in a timely fashion, and it kept the consumer in mind by offering identity protection, setting up a call center, and keeping the lines of communication open. These are each recommended steps for preparing for a data breach and this is how healthcare facilities can use LogicGate to meet OIG's 7 Key Elements of Compliance

Still, it could have avoided the situation altogether by putting the right technology in place ahead of time. Like any company that handles sensitive information, it’s critical Rush uses comprehensive risk-mitigation technology to keep tabs on the activities of all its third party vendors. LogicGate’s Third Party Risk Management software helps companies verify third-party access and ensure that every stakeholder follows proper procedures. Timely and accurate certifications and attestations are small but effective steps to ensure appropriate parties follow the right protocols every time.

Ultimately, hospitals and health systems need to strengthen their third-party risk management programs by adopting a risk-based approach, not merely a compliance-based one. LogicGate can help them get there with our health care risk management solution.


For more on Third-Party Risk Management, check out LogicGate's eBook below on Third-Party Risk: Driving Cross-Functional Alignment Across the Vendor Lifecycle.

Download eBook



All posts

Related Posts

View all posts