• Rush University Medical Center suffered a massive data breach on January 22, 2019.
  • The institution has notified around 45,000 patients affected in the security incident.

Rush University Medical Center has issued notices to around 45,000 patients whose data were compromised in a major data breach that happened on January 22. The hospital detailed this serious security incident in a financial filing and subsequently sent notices to affected patients starting from February 25.

The big picture

  • According to the filing, compromised data included names, addresses, birthdays, Social Security numbers and health insurance information, of the patients.
  • Medical information was part of the data exposed in the breach.
  • Rush has however mentioned that the data was not misused post the incident.
  • After the breach was uncovered, the hospital revoked its contract with its IT vendor and started an internal investigation.
  • As a consolation to affected patients, Rush has offered a free one-year membership to an identity protection service.
  • The Chicago-based medical institution has put out a helpline for patients to address queries related to the breach. It has three hospitals, one located in Chicago and the other located in Aurora.

Back to back incidents

This is Rush’s second security incident observed this year. Earlier, the hospital had wrongly sent letters to patients other than those who were supposed to receive it.

“In February, Rush University Medical Center reported that letters notifying patients of the retirement of a nurse practitioner at the Epilepsy Center were addressed incorrectly. The envelopes were marked with the names of certain patients but sent to different patients’ addresses. That incident affected 908 patients, according to the U.S. Department for Health and Human Services Office for Civil Rights,” reported Chicago Tribune.

Cyware Publisher