PHI of 45,000 Exposed Following Third Party Data Misuse | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

PHI of 45,000 Exposed Following Third Party Data Misuse

by Chris Brook on Thursday September 24, 2020

Contact Us
Free Demo

The incident stems from an employee at a vendor working with the medical center improperly disclosing patient data.

A Chicago-area academic medical center is dealing with its second privacy faux pas this year after recently discovering a third party accessed a file containing patient protected health information (PHI).

Rush University Medical Center, a 664-patient facility housed in and affiliated with Rush University is alerting 45,000 patients that their data may have been exposed after an employee at a financial services vendor working with the facility improperly disclosed a file to an unauthorized party, likely in May 2018.

Despite occurring almost eight months prior, the facility didn't discover the breach until January 22 according to a recent financial filing. It subsequently began informing patients of the breach by mailing letters on February 25, more than a month after it became aware of the incident.

The file contained no shortage of sensitive data, including patient names, home addresses, dates of birth, health insurance information, and Social Security numbers. The facility said in a statement on its website last week there wasn't any evidence of further access to its internal computer systems or network and that no medical history, treatment, diagnosis or other patient information or financial information was divulged.

Rush University Medical Center severed ties with the vendor, an unnamed claims billing processing vendor, following the breach and the company is purportedly reviewing its internal procedures and contracting processes in wake of the breach.

While it's admirable the facility caught the data misuse, it's a wonder why it took it the medical center nearly eight months to do so. It's likely a more rigorous data protection strategy, one that allows an organization to see where data is, where it's going, and can prevent it from being misused, without impacting patients or practitioners, could have better safeguarded the file in question here and forbidden it from being shared in the first place.

Under HIPAA, providers are required to “implement technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information" but in many ways the lack of safeguards around third parties who handle corporate data has been the industry's undoing when it comes to data breaches lately.

Data belonging to more than 30,000 Managed Health Services (MHS) of Indiana patients was compromised earlier this year after attackers gained access to an employee email accounts via a third party, LCP Transportation, that partners with the organization to provide transportation for patients.

This is the second slip-up by Rush in the past two months; in February the company mistakenly sent letters to 908 incorrect individuals to inform them about the retirement of a nurse practitioner at its Epilepsy Center. While it listed the names of actual patients on the envelopes, the letters were accidentally sent to different patients.

Tags: Industry Insights, Healthcare

Recommended Resources

  • Best practices for managing DLP in healthcare
  • Overview of vendors' strengths and weaknesses
  • Top use-cases for DLP in healthcare
  • Top InfoSec concerns for healthcare professionals
  • How to protect sensitive data with DLP
  • Advice from security experts and analysts

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.