Rush System for Health says personal information for about 45,000 patients has been compromised.
The health system disclosed in a financial filing that the data breach, which it learned about on Jan. 22, was due to an employee at one of its third-party claims processing vendors sharing a file containing patient information with an unauthorized party. While medical history was not disclosed, patient names, addresses, Social Security numbers, birthdates and health insurance information for those tens of thousands of patients was exposed.
Hospital spokeswoman Deb Song said today the firm involved is Lombard-based MiraMed, and the breach is considered low risk since no personal financial information was disclosed. She added that all patients involved have been offered 12 months of identify protection services for free.
"It's unfortunate and it's something we take extremely seriously," Song said, adding that Rush reported the breach to the U.S. Department of Health & Human Services on Feb. 28, after notifying patients earlier in the week.