Chicago-based Rush University Medical Center sent letters to up to 45,000 patients notifying them of a potential data security incident in May 2018.
Data from an estimated 45,000 patients may have been compromised after an employee from one of Rush's third-party financial services vendors improperly disclosed a file containing certain patient information to an unauthorized party.
Patient information that may be affected includes names, addresses, dates of birth and insurance information. Rush said medical and financial data were not included in the breach. The medical center believes none of the compromised information was misused, according to the letter it sent patients.
After discovering the breach Jan. 22, Rush launched an internal investigation and suspended its contract with the vendor. Additionally, the health system is providing a free, yearlong membership to an identity protection service to patients who were affected.
Rush recommends patients affected by the security incident monitor their credit reports and financial accounts for suspicious activity, check their explanations of benefits documents from their health plans and review their rights to fraud alerts and credit freezes.