March 31, 2021
NOTICE OF DATA PRIVACY INCIDENT BY A THIRD PARTY
A business associate, Med-Data, Incorporated (“Med-Data”) notified the University of Chicago Medical Center (“UCMC”) and other clients of a privacy incident that may have impacted the information of individuals that was provided to assist with processing. Med-Data provides revenue cycle services to hospitals, healthcare systems and their patients, including solutions for Medicaid eligibility, third-party liability, workers’ compensation, and patient billing.
On December 10, 2020, Med-Data was informed by an outside third party that some data related to its business had been made publicly available. Med-Data immediately launched an investigation and validated the claim. The files were promptly removed. Med-Data hired cybersecurity specialists to assist in the review of the incident and on February 8, 2021, notified UCMC of its affected individuals. Med-Data mailed letters to impacted individuals and notified applicable regulatory agencies on March 31, 2021. More information can be found at meddata.com/data-privacy.
What information was involved?
Based on Med-Data’s investigation, information may have included individuals’ names, in combination with one or more of the following: physical address, date of birth, and in some cases Social Security number, provider name, health insurance name, and subscriber or guarantor ID.
What is Med-Data doing?
Med-Data is offering impacted individuals credit monitoring and identity protection services through IDX at no cost. Med-Data also has taken steps to minimize the risk of a similar event from happening in the future. Med-Data implemented additional security controls, blocked all file-sharing websites, updated internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution that provides 24-7 monitoring of its network, endpoints and workstations.
What is UCMC doing?
As required by law, UCMC is reinforcing Med-Data’s efforts to notify patients individually and ensure they get the information they need via its website and a media notice. UCMC is also reviewing its relationship with Med-Data and its security practices to assure they align with UCMC’s expectations. While this breach of information occurred through a third-party service provider, UCMC is committed to the confidentiality and security of patients’ personal information and demands this same level of commitment from its business associates and vendors. UCMC will continue to monitor the situation.
What if I have questions or need more information?
To determine whether your information was impacted or for more information about this incident, please call 1-833-903-3647 from 8 a.m. to 8 p.m. Central Time, Monday through Friday. Individuals also can contact the Federal Trade Commission at 600 Pennsylvania Avenue NW, Washington, D.C. 20580, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261; or visit ftc.gov/idtheft for more information on protecting their identity.