[BreachExchange] Rush data breach exposes 45,000 patients

Destry Winant destry at riskbasedsecurity.com
Wed Mar 6 10:03:38 EST 2019


Rush System for Health says personal information for about 45,000
patients has been compromised.

The health system disclosed in a financial filing that the data
breach, which it learned about on Jan. 22, was due to an employee at
one of its third-party claims processing vendors sharing a file
containing patient information with an unauthorized party. While
medical history was not disclosed, patient names, addresses, Social
Security numbers, birth dates and health insurance information for
those tens of thousands of patients was exposed.

Hospital spokeswoman Deb Song said today the firm involved is
Lombard-based MiraMed, and the breach is considered low risk since no
personal financial information was disclosed. She added that all
patients involved have been offered 12 months of identify protection
services for free.

“It’s unfortunate and it’s something we take extremely seriously,”
Song said, adding that Rush reported the breach to the U.S. Department
of Health & Human Services on Feb. 28, after notifying patients
earlier in the week.

So far this year, more than 55 data breaches nationwide have been
reported to HHS, which requires notice when protected health
information for 500 or more people is exposed.

Last month, Rush University Medical Center said it inadvertently
exposed the names of an another 908 patients when it mailed letters
about the retirement of a certified nurse practitioner at its Epilepsy

The global health care sector had the highest per-capita data breach
costs last year, with lost or stolen records containing personally
identifiable information costing organizations an average of $408
each, according to a July report by IBM Security and the Ponemon
Institute. Meanwhile, the average cost of a compromised record across
all sectors was $148, the report found.

Health records containing insurance information, which can be used for
fraudulent billing and prescriptions, as well as Social Security,
driver's license and credit card numbers, are extremely vulnerable to
poaching. If online theft keeps accelerating at the current pace,
everyone in the U.S. will have had their health care data compromised
by 2024, Crain’s reported in 2017.

More information about the BreachExchange mailing list