Patients of Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, have been made aware of a breach of their protected health information.
The breach happened at Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is hired to determine insurance eligibility and limited patient information is shared to the business associate for this aim.
The breach happened in March 2017 during an upgrade of Experian Health’s computer system. The protected health information of 727 patients was mistakenly shared to other healthcare systems. The PHI disclosed was restricted and did not include the types of information sought by cybercriminals to carry out identity theft.
Due to the restricted disclosure of PHI, and the fact that the data was shared to organizations covered by HIPAA Rules, the risk to patients is believed to be low. To date, Experian Health has not been alerted of any unauthorized uses of the disclosed information. The breach was restricted to patients’ names, medical record numbers, dates of birth, and account details.
Following identification of the breach, Experian Health took steps to recover and secure the disclosed data and steps have been taken to avoid similar incidents from exposing the PHI of patients. Cook County Health and Hospitals System also investigated the breach and is satisfied with the actions taken by Experian Health to prevent similar breaches from happening in the future.
Cook County Health and Hospitals System was made aware f the breach on August 1, 2017 and a substitute breach notice was published on the health system’s website on October 2, 2017. All patients affected by the breach have now been alerted by mail and a breach report has been registered to the Department of Health and Human Services’ Office for Civil Rights (OCR).
