Rush University Medical Center is feeling the impact of a breach they themselves did not cause. A third-party vendor is responsible for compromised personal information of 45,000 patients of Rush Medical. The breach was caused by an employee of the claims processing vendor when they inappropriately shared a patient file with an unauthorized individual.
Rush Medical was notified of the incident on January 22 and quickly launched an investigation of their own to assess the incident and its impact. According to the investigation, no medical data such as diagnosis or treatment information was disclosed in the breach. The file did, however, contain patient names, Social Security numbers, dates of birth, addresses, and health insurance information.
To Rush Medical’s knowledge, there has been no misuse of the information compromised by the incident, however, all potentially affected individuals are being notified. In addition to the notification, all affected patients will receive a year of free identity protection service.
The Department of Health and Human Services, Office for Civil Rights has also been notified of the breach, as well as state regulators.
Following the incident, Rush Medical has suspended its contract with the vendor who caused the breach. A Business Associate Agreement (BAA) was in place at the time of the incident.
The breach has prompted the medical center to take further action with all vendors to ensure a similar event does not occur in the future.
This incident serves as an important reminder that breaches can occur and cause damage to an organization, even when it’s not their wrongdoing. Despite Rush Medical having a BAA in place, that Business Associate still caused a data breach. Having a BAA with a third-party vendor is critical, however, it does not mean you are free from the repercussions of a data breach caused by that vendor. Always ensure that the vendors you are working with are taking HIPAA compliance seriously and are doing everything in their power to protect your patients’ data. In addition, you should check on your vendor’s compliance annually to ensure you are still working with a vendor that has your best interests in mind when it comes to privacy and security.