A hack at a third-party software vendor compromised data on thousands of cancer patients who sought care at Northwestern Memorial HealthCare in Chicago.
The data breach exposed personal and health data on an estimated 201,200 patients at Northwestern Memorial, according to a report that the health system submitted to HHS' Office for Civil Rights last week. The HHS agency publicly posted the report to its online database of healthcare data breaches in an update Thursday.
Northwestern Memorial is the latest health system to disclose patients that were affected in a breach at Elekta, a Swedish company that sells radiation therapy technology and related software.
An unauthorized user in April gained access to Elekta's cloud-based storage system and removed a copy of a database that stores oncology patient information, including names, dates of birth, Social Security numbers, health insurance information, medical record numbers and other clinical information of some patients.
The hack affected a "subset" of customers in North America, according to a notice Elekta posted online. The breach affected at least 40 health systems in the U.S., according to a report from the Bend Bulletin in Oregon, including Bend-based St. Charles Health System and Reno, N.V.-based Renown Health.
Elekta alerted Northwestern Memorial about the hack in May, according to a notice the health system posted online. Northwestern Memorial, which used the company's cloud platform to report information on cancer patients to the state of Illinois, is "re-evaluating" its relationship with Elekta, according to the notice.
"We regret this incident occurred and we are committed to protecting the security and privacy of patient information," a Northwestern Memorial spokesperson wrote in an emailed statement.
Elekta in an emailed statement said since the data breach it has reported the incident to the Federal Bureau of Investigation and migrated its cloud-based applications to a different cloud platform that wasn't affected by the hack and runs on Microsoft Corp.'s Azure.
HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department, so customers that learned of the breach in May will likely report the incident in July.