October 2, 2017
On August 1, 2017, Cook County Health and Hospitals System (CCHHS) and the Office of Corporate Compliance were notified by Experian Health, a Business Associate that helps us determine insurance eligibility, that they experienced a security breach. Under the Health Insurance Portability and Accountability Act (HIPAA), one of the ways a security breach can occur is when confidential information is released to another party that had no reason to receive the confidential information. In this case, Experian sent patient information to other healthcare facilities during a computer system upgrade in March 2017. This should not have happened.
CCHHS has learned that in this incident, Experian released names, account numbers, medical record numbers, and dates of birth of the individuals involved. This is considered Protected Health Information (PHI). Individual addresses, social security numbers, and clinical information were NOT included in this breach.
Once Experian became aware of this issue, they took steps to correct the error and remove all confidential information that was sent in to the other healthcare facilities. We have not been notified of any instances of unauthorized uses of individuals’ information at this time and believe there is a low probability that information will be misused.
Since this happened we are making every effort to make sure this does not happen again. These efforts are called corrective actions and include:
- Looking at what happened and understanding the events
- Talking about this event with Experian
We know you trust us and our vendors with your confidential information and we have a duty to keep that trust through our actions. We apologize for this breach. We – and our business partners – must and will do everything we can to protect our patients’ privacy.
If you have questions or would like more information, please call 1-877-476-1873 (8 a.m. to 5 p.m. Monday through Friday), e-mail the Cook County Health and Hospitals System Compliance Program at firstname.lastname@example.org or send a letter to Cathy Bodnar, Chief Compliance and Privacy Officer, Cook County Health and Hospitals System, 1900 W. Polk St., Suite 123, Chicago, IL 60612.