Aspirus and OSF Healthcare have joined Memorial Hermann Health System and University of Chicago Medicine in notifying their patients of a 2019 data breach in which a former employee at revenue cycle management vendor Med-Data uploaded patients' personal information.
Four details:
- Med-Data discovered the breach in December and notified providers whose patients' data was affected Feb. 8.
- An internal investigation found that a former Med-Data employee saved client files to personal folders created on a public-facing website sometime during or before September 2019. The files uploaded to the website contained patients' names and in some cases birth dates, Social Security numbers, addresses and healthcare data. Med-Data said it removed the files Dec. 17, 2020.
- Patient information was breached from Houston-based Memorial Hermann Health System; University of Chicago Medicine; Wausau, Wis.-based Aspirus; and Peoria, Ill.-based OSF Healthcare. Affected patients from all four health systems have been notified of the data breach.
- University of Chicago Medicine said almost 900 of its patients may have been affected by the security breach.
- Med-Data did not say whether it would press charges against the former employee who uploaded the information. The company is offering affected individuals a free year of credit monitoring and identity theft protection services.