Data breach affected Northwestern Medicine’s cancer reporting vendor

‘We are committed to protecting the security and privacy of patient information’

BATAVIA – A Batavia resident reported to police that he received a letter from Northwestern Medicine advising him of a database breach which may have given someone access to patient information, according to a police report released through a Freedom of Information Act request.

The resident, who received the letter July 1, told police he does not use Northwestern Medicine and had not suffered any financial loss, the report stated.

He had already contacted his credit agencies and the letter told him how to sign up for a free year’s subscription of identity theft protection, the report stated.

The resident made a police report because the letter stated he should file one, the report stated.

“We regret this incident occurred and we are committed to protecting the security and privacy of patient information,” Northwestern spokesman Chris King stated in an email. “This incident did not involve access to any of the Northwestern Memorial Healthcare systems, network, or electronic health records. This incident occurred on Elekta’s systems.”

Elekta Inc. is a vendor that provides a cloud-based platform to facilitate legally-required cancer reporting to the state of Illinois. It informed Northwestern Memorial Healthcare about the breach, which occurred between April 2, 2021 and April 20, 2021, according to a May 17 news release.

“During that time, the unauthorized individual acquired a copy of the database that stores some of NMHC’s oncology patients’ information,” the release stated. “Financial account and payment card information was not involved. This incident did not involve access to NMHC’s systems, network, or electronic health records.”

Instead it occurred on Elekta’s systems, which held a database for oncology patients at many of its locations, including Northwestern Medicine Delnor Hospital in Geneva and Central DuPage Hospital in Winfield, according to its news release.

“Based on the nature of the incident and its investigation, Elekta has no reason to believe that any of the data involved was or will be misused or will be made available publicly,” King’s email stated.

“We are encouraging our oncology patients to review statements from their health insurer or healthcare provider, and to contact them immediately if they see any services they did not receive,” King’s email stated.

The hospital system established a dedicated call center to answer questions about this incident, from 9 a.m. to 5:30 p.m. Monday through Friday.