Data breach impacts 900 University of Chicago Medical Center patients
Patient files — including names, social security numbers and health data — were uploaded to a public website by a former employee of a data processor that includes the medical center among its clients, officials said Wednesday.
A former employee at a national health care data processor that includes the University of Chicago Medical Center among its clients uploaded patients’ private information to the internet in 2019, potentially revealing their Social Security numbers and physical addresses and other sensitive data, officials said Wednesday.
The University of Chicago Medical Center said that nearly 900 of its patients might have been affected by the security breach at Med-Data, an Ohio-based company that provides revenue cycle services to health care providers and patients.
“The exposure of information occurred on Med-Data’s end. At this time, the company has confirmed it has no knowledge of any actual or attempted misuse of the information of our patients,” the University of Chicago Medical Center said in a statement.
“Med-Data has assured UCMC that it has taken all necessary and appropriate steps to secure this information and mitigate any personal financial risk to UCMC patients,” the medical center said.
Med-Data was notified by a journalist in December that patients’ data appeared on a public website, and found that a former employee had uploaded patients’ files to personal folders on the site on or before September 2019, the company said.
Cybersecurity experts confirmed that the files contained patients’ names and, in some cases, their birthdates, Social Security numbers, addresses and health care information, among other private information, Med-Data said in a written statement.
Med-Data mailed a letter to the affected individuals Wednesday to notify them of the data breach, and is offering a year of free credit monitoring and identity theft protection services to them, the company said.
The company did not say whether it would be pressing charges against the former employee who uploaded the information. Med-Data did not respond to a request for further comment.