Cook County Health Patients Affected by Cyberattack at Medical Transcription Firm
Cook County Health, which operates John H. Stroger, Jr. Hospital and Provident Hospital in Chicago, IL, has been informed by one of its business associates, Perry Johnson & Associates, Inc., (PJ&A) that patient data has potentially been compromised in a cyberattack.
PJ&A provides medical transcription services to Cook County Health and has access to patients’ protected health information. PJ&A notified Cook County Health on July 21, 2023, that it was investigating a cyberattack, and confirmed on July 26, 2023, that the personal information of Cook County Health patients was stored on the compromised parts of its network. The forensic investigation confirmed that an unauthorized third party accessed the systems where patient data was stored in April 2023.
It has been more than two months since Cook County Health was informed about the attack; however, PJ&A has yet to provide a final list of the affected patients and the compromised data, so notification letters have yet to be mailed. Cook County Health said the information likely compromised in the incident will involve names in combination with one or more of the following: date of birth, address, medical record number, encounter number, medical information, dates/times of service, and, in some cases, Social Security number.
Cook County Health said its legal counsel is working diligently to obtain the final list of patients from P&A and notification letters will be mailed when the list is obtained. Complimentary credit monitoring and identity protection services will be offered to the affected individuals. Cook County Health said it stopped sharing data with PJ&A when it learned about the data breach and terminated its business associate agreement with the company. The breach has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals to meet breach reporting requirements until the final patient list is provided.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
UPDATE: Cook County Health said it was informed by PJ&A that 1.2 million patients were affected. Northwell Health in New York has also announced that it was affected by the breach but has yet to disclose how many individuals were affected. PJ&A is now appearing on the HHS’ Office for Civil Rights Breach portal, which indicates 8,952,212 individuals were affected. You can view the latest updates on the PJ&A data breach here.
AIDS Alabama Discovers 10-Month Breach
The Birmingham, AL-based social services organization, AIDS Alabama, Inc., has discovered an unauthorized third party accessed its network. A third-party digital forensics firm was engaged to investigate the security breach and determined that its network was accessed by an unauthorized third party between October 11, 2021, and August 9, 2022, and during that time, sensitive data may have been viewed or obtained.
On August 14, 2023, AIDS Alabama determined that full names, addresses, Social Security numbers, medical diagnoses, healthcare provider names, health insurance information, email addresses, and the medical services received may have been compromised. The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 1,922 individuals.
Notification letters started to be mailed to the affected individuals on September 22, 2023. AIDS Alabama said it is committed to maintaining the privacy of personal information in its possession and has taken additional precautions to safeguard it and will continue to evaluate and modify its practices to enhance the privacy and security of personal information.
Gillette Children’s Specialty Healthcare Affected by MOVEit Hack at Business Associate
Gillette Children’s Specialty Healthcare has recently confirmed that the protected health information of 542 patients was compromised as part of the mass exploitation of a zero day vulnerability in Progress Software’s MOVEit Transfer application in May 2023. The file transfer solution was used by its business associate, Nuance Communications, for exchanging information such as X-rays, MRIs, and other medical images.
While the attack occurred in May, Gillette Children’s Specialty Healthcare was not informed about the attack until August 7, 2023. The information compromised in the incident included names, dates of service, services provided, practitioner names, facility names, and for some patients, medical record numbers.