Data of 45,000 Rush patients exposed due to third-party breach

The personal information of about 45,000 patients at Rush System for Health has been compromised due to a data breach at one of the health system’s third-party claims processing vendors.

The data breach, first reported by Crain’s Chicago Business, was disclosed in a Rush financial filing (PDF). The breach, which Rush learned about on Jan. 22, was the result of an employee at one of its third-party vendors improperly disclosing a file containing certain patient information to an unauthorized party.

According to a statement from Rush provided by a health system spokeswoman Deb Song, the file included “limited” personal information about certain Rush patients. Although the file did not contain medical history or treatment information, the file may have contained personal information, such as name, address, social security number, date of birth and health insurance information, relating to approximately 45,000 Rush patients, according to the financial filing. According to the statement, the shared information varies by individual.

After the discovery, Rush launched an internal investigation and did not find any evidence of unauthorized access to any of Rush’s internal computer systems or network, the health system said.

“Rush takes this matter very seriously and is committed to protecting patients’ personal information. Rush has launched an internal investigation and has suspended the contract with the claims processing vendor,” Rush said in the statement. “Rush understands the importance of maintaining the privacy and security of patients’ information and we will maintain our diligence to prevent this in the future, including reviewing contracting processes and vendor oversight.”

RELATED: New Jersey AG fines Virtua Medical Group $418K for HIPAA violations tied to vendor oversight

All patients involved have been offered 12 months of identity protection services for free, the health system said.

“Rush has taken steps relative to its vendors to help prevent this type of incident from happening in the future.”

According to Crain’s, Song said the firm involved is Lombard-based MiraMed, and the breach is considered low risk since no personal financial information was disclosed.

“It’s unfortunate and it’s something we take extremely seriously,” Song said, adding that Rush reported the breach to the U.S. Department of Health and Human Services on Feb. 28, after notifying patients earlier in the week, according to the Crain’s story.

Last month, Rush University Medical Center said it inadvertently exposed the names of  another 908 patients when it mailed letters about the retirement of a certified nurse practitioner at its Epilepsy Center, according to Crain’s.

In a separate breach incident, Columbia Surgical Specialists of Spokane, Washington, reported a breach incident to HHS Office of Civil Rights. The incident, which appears on HHS’ public breach tool as a hacking/IT Incident involving a network server, reportedly affected 400,000 patients.

The breach was reported Feb. 18. No other information was provided, and, as of press time, the healthcare organization did not respond to a request for comment.

Two weeks ago, Seattle-based UW Medicine said it was notifying close to 1 million patients of a database configuration error that exposed their protected health information on the internet for several weeks.

RELATED: Misconfigured database leads to major data breach at UW Medicine

Many of the recent cybersecurity incidents, as well as major hospital security incidents reported last year, are related to third-party vendor data breaches.

“It is one of the major attack vectors that we’re seeing today and if you look at the Rush incident, or Virtua Medical Group, Silver Cross Hospital, or UW Medicine, it’s the same theme—way too much trust in these vendors that they are sharing sensitive information with,” Mac McMillan, co-founder and CEO of CynergisTek, an information security and privacy consulting firm, told FierceHealthcare. 

“The healthcare industry has not embraced the fact that our attack surface is growing and it’s growing with all of these third-party providers that they are doing business with. The number of third parties that hospitals share personal health information with has grown exponentially to where it's now an average of 300 to 400 organizations outside their environment,” he said. “Health data is not only at risk at the hospital itself, but also at every one of these locations where the data is going.”

A Ponemon Institute survey of chief information security officers across industries found that 61% of American companies have experienced a third-party breach, up 5% from 2017. More than 75% of all respondents said third-party data breach incidents are on the rise.

Within healthcare, data breaches in 2018 involving third-party vendors affected 5.3 million patient records, and that’s out of a total of 15 million patient records breached last year, according to a Protenus 2019 cybersecurity report.

Other industries, such as banking, have specific third-party risk profile requirements that companies have to meet, but healthcare does not have such requirements, MacMillan said.

There are a number of developments that could eventually pressure third-party vendors to better protect consumer data, McMillan said, including the European Union’s General Data Protection Regulation and the sweeping consumer privacy law recently passed in the California legislature. There is momentum building for federal privacy legislation in the U.S. as well.

In the meantime, McMillan said hospitals and health systems need to strengthen their third-party risk management programs by adopting a risk-based approach, not a compliance-based one.

“Organizations need thorough and carefully written contracts that make it clear what their expectations are from the vendor, and categorize vendors based on their risk profile,” he said. Organizations also need to identify fourth-party subcontractors and require that vendors get approval of any fourth-party involvement.