• Editor’s Note: This article and its headline were updated at 3:40 p.m. Tuesday to reflect a statement by a Rush Copley Medical Center spokesperson that the Aurora hospital was not affected by the data breach.

A spokesperson from Rush Copley said today (Tuesday, March 5, 2019) that Rush Copley Medical Center in Aurora is not among the hospitals compromised in a data breach that has affected 45,000 Rush patients.

Courtney Satlak, Rush Copley’s director of marketing, said via voice mail and email that recent media reports were incorrect in suggesting that Rush Copley patients were among the Rush System for Health patients whose personal information may have been compromised.

“Rush Copley Medical Center and Rush Copley Medical Group patients were not impacted by the Rush System breach,” she said in a written statement.

The information about the breach was revealed in a recent financial filing, according to a March 4 report in the Chicago Tribune.

The exposed data may include names, addresses, birthdays, Social Security numbers and health insurance information, according to the filing.

According to reports, Rush believes none of the information had been misused.

HealthCare Finance said Rush has sent letters to patients that it believes were affected by the breach.

“Rush takes this matter very seriously. After our discovery of the incident, we launched an internal investigation and suspended our contract with the financial claims vendor,” Rush said in the letter.  “Additionally, we are reviewing our internal procedures and contracting processes to help prevent this type of incident from happening in the future. We are also increasing our internal awareness of service vendors and reviewing processes for working with third-party firms.”

Rush System for Health operates Rush University Medical Center in Chicago, Rush Copley Medical Center in Aurora, Rush Oak Park Hospital and several clinics and satellite facilities in the Chicago area.

The system said it learned of the breach on Jan. 22. The actual incident was believed to have occurred in May 2018.

Rush said third-party financial services vendors “improperly disclosed a file containing certain patient information to an unauthorized party.”

After discovering the breach, Rush suspended its contract with the financial services vendor, according to HIPAA Journal.

Rush said law enforcement and regulatory officials were notified.

Affected patients have been offered membership to the Experian IdentityWorks Credit 3B service to protect against identity theft and fraud as a precaution and have been advised to monitor their financial accounts and explanation of benefits statements from their insurers for any sign of fraudulent activity.

All affected patients were notified of the breach by mail on Feb. 25, 2019, the HIPPA Journal article said.

SOURCE: Rush Copley, Chicago Tribune, HealthCare Finance and HIPAA Journal websites