As the Chicago Tribune reported on March 4, “The personal information of about 45,000 Rush patients may have been compromised in a data breach, the health system revealed in a recent financial filing. The exposed data may include names, addresses, birthdays, Social Security numbers and health insurance information, according to the filing. The data did not include medical information. Rush said that to its knowledge, none of the information had been misused,” the Tribune’s Lisa Schencker reported.
In a letter to patients that it has published online, Rush officials said that, “On January 22, 2019, Rush learned that an employee of one of our third-party financial services vendors improperly disclosed a file containing certain patient information to an unauthorized party. We believe this disclosure occurred in May 2018. Law enforcement and regulatory officials have been notified. Based on our internal review, we believe this file included limited personal information relating to certain Rush patients.” They told recipients, “You are one of the individuals whose information could be affected by this incident. Though the shared information varies by individual, it may include your name, address, date of birth, and insurance information. During our investigation, we did not find any evidence of any unauthorized access to any of Rush’s internal computer systems or network. Additionally, treatment, diagnosis or other patient information was not included; personal financial information was not included.”
Rush Health encompasses three hospitals in Chicago and its suburbs, including its anchor academic medical center in downtown Chicago.