Chicago-based Rush University Medical Center inadvertently exposed the names of 908 patients in a paper mailing announcing the retirement of a certified nurse practitioner at its Epilepsy Center.
Names listed on the outside of envelopes did not match the corresponding address, leading patients to receive the mailing with another patient's name on it. The letter inside the envelopes was addressed "Dear Patient." As no contact information was exposed, Rush deemed the breach low risk to patient privacy. Rush reported the data breach Feb. 11 to HHS' Office for Civil Rights and has attempted to notify all patients involved.
"RUMC takes very seriously the privacy and security of our patients' personal information and we regret that this incident happened. We have taken corrective action steps to ensure our privacy and security safeguards," Andy Reeder, Rush HIPAA privacy and security officer, told patients in a letter about the breach. Rush partnered with ID Experts, a Portland, Ore.-based data breach services firm, to help manage its response.
More articles on cybersecurity:
NIH should strengthen information-security controls, OIG finds
Minnesota hospital alerts 2,000 patients of phishing scheme
AdventHealth notifies 42,000 patients of data breach