This article originally appeared in Information Security Buzz on March 6, 2019.

Rush System for Health says personal information from about 45,000 patients may have been compromised in a data breach. 

The health system said in a recent financial filing that the exposed data may include names, addresses, birthdays, Social Security numbers and health insurance information. Rush said that to its knowledge none of the data had been misused and didn’t include medical information. Officials say the breach happened after an employee of one of Rush’s financial services vendors improperly shared a file with an unauthorized party. They say it likely happened in May 2018.  

Usman Rahim, Digital Security and Operations Manager at The Media Trust:

“Many hospitals and other healthcare providers have improved performance and lowered costs by outsourcing their billing process to third parties. 

The problem is, too many third parties put together inadequate measures to ensure that data is secure and distributed only to authorized parties. Human error is an ever-present risk, but so is getting hacked. The fact is, healthcare providers, especially smaller ones with tight budgets, are under frequent attack because they collect and generate a lot of sensitive data and rely on insecure third parties—who handle billing, provide medical devices developed without security in mind, host online patient portals where doctors share medical test results with patients, etc. At best, bad actors can profit from the security shortage; at worse, they endanger patients’ safety. 

Hospital CISOs should take a harder look at their third parties’ security posture to reduce these risks. Once information reaches the dark web, there’s no telling how it can be used, but it will be.”