Chicago Hospital Data Breach Exposes Patient Information
Chicago hospital Rush University Medical Center recently reported a data breach that exposed sensitive information of about 1,000 patients.
According to reports, the hospital sent a mailing to epilepsy patients regarding the retirement of one of the hospital’s staff members. Through human error, the patient names were mismatched with the addresses of other patients. So patients received notices with their correct address but with the names of other patients.
The hospital reported the incident to the U.S. Department of Health & Human Services, which requires notice when protected health information for 500 or more people is made public.
“(We) take(s) very seriously the privacy and security of our patients’ personal information and we regret that this incident happened,” said Andy Reeder, the hospital’s associate vice president of HIPAA privacy & security in a letter to patients. “We have taken corrective action steps to ensure our privacy and security safeguards. We have partnered with ID experts, a company that is assisting RUMC in this response, to provide you informational services about this incident.”
The Impact of Health Care Data Breaches
While the Rush University Medical Center breach looks like it was user error, and low-risk, releasing confidential patient information exposes the company to liability issues, which are a concern to all health care related companies.
At BKS we work with health care companies to minimize liability exposure in the following ways:
- User awareness training specific to the health care industry
- Discussing and recommending basic cyber insurance for health care companies
- Spam/virus monitoring and protection
- Endpoint management
- Detailing cyber threats from all angles, including those that come from within the company
As mentioned here, health care companies that experience data breaches are required to report those to breaches to the U.S. Department of Health & Human Services and affiliated state agencies. Disclosure requirements put companies in the spotlight and create a negative image and violation of trust for clients.