About 45,000 Rush University Medical Center patients may have had personal information compromised in a data breach, according to the health system.
An employee of one of Rush’s financial services vendors “improperly disclosed” a file containing certain patient information to an unauthorized party, Rush spokesperson Deb Song said.
The exposed data may include a patient’s name, address, date of birth, Social Security number and health insurance information, Song said.
No medical history, treatment, diagnosis or personal financial information was shared, however, she added.
Rush discovered the breach on Jan. 22 and launched an internal investigation. The contract with the claims processing vendor was also suspended, according to a quarterly operations report.
The health system is “not aware of any misuse of information arising out of this incident,” the report says, but Rush provided notice to patients and the Department of Health and Human Services’ Office of Civil Rights.
Rush is offering a yearlong membership to an identity protection service for those affected.
