A Chicago-area academic medical center is dealing with its second privacy faux pas this year after recently discovering a third party accessed a file containing patient protected health information (PHI).

Rush University Medical Center, a 664-patient facility housed in and affiliated with Rush University is alerting 45,000 patients that their data may have been exposed after an employee at a financial services vendor working with the facility improperly disclosed a file to an unauthorized party, likely in May 2018.

Despite occurring almost eight months prior, the facility didn't discover the breach until January 22 according to a recent financial filing. It subsequently began informing patients of the breach by mailing letters on February 25, more than a month after it became aware of the incident.

The file contained no shortage of sensitive data, including patient names, home addresses, dates of birth, health insurance information, and Social Security numbers. The facility said in a statement on its website last week there wasn't any evidence of further access to its internal computer systems or network and that no medical history, treatment, diagnosis or other patient information or financial information was divulged.

Rush University Medical Center severed ties with the vendor, an unnamed claims billing processing vendor, following the breach and the company is purportedly reviewing its internal procedures and contracting processes in wake of the breach.

While it's admirable the facility caught the data misuse, it's a wonder why it took it the medical center nearly eight months to do so. It's likely a more rigorous data protection strategy, one that allows an organization to see where data is, where it's going, and can prevent it from being misused, without impacting patients or practitioners, could have better safeguarded the file in question here and forbidden it from being shared in the first place.

Under HIPAA, providers are required to “implement technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information" but in many ways the lack of safeguards around third parties who handle corporate data has been the industry's undoing when it comes to data breaches lately.

Data belonging to more than 30,000 Managed Health Services (MHS) of Indiana patients was compromised earlier this year after attackers gained access to an employee email accounts via a third party, LCP Transportation, that partners with the organization to provide transportation for patients.

This is the second slip-up by Rush in the past two months; in February the company mistakenly sent letters to 908 incorrect individuals to inform them about the retirement of a nurse practitioner at its Epilepsy Center. While it listed the names of actual patients on the envelopes, the letters were accidentally sent to different patients.