The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cook County Health Patients Affected by Cyberattack at Medical Transcription Firm

Posted By on Oct 16, 2023

Cook County Health, which operates John H. Stroger, Jr. Hospital and Provident Hospital in Chicago, IL, has been informed by one of its business associates, Perry Johnson & Associates, Inc., (PJ&A) that patient data has potentially been compromised in a cyberattack.

PJ&A provides medical transcription services to Cook County Health and has access to patients’ protected health information. PJ&A notified Cook County Health on July 21, 2023, that it was investigating a cyberattack, and confirmed on July 26, 2023, that the personal information of Cook County Health patients was stored on the compromised parts of its network. The forensic investigation confirmed that an unauthorized third party accessed the systems where patient data was stored in April 2023.

It has been more than two months since Cook County Health was informed about the attack; however, PJ&A has yet to provide a final list of the affected patients and the compromised data, so notification letters have yet to be mailed. Cook County Health said the information likely compromised in the incident will involve names in combination with one or more of the following: date of birth, address, medical record number, encounter number, medical information, dates/times of service, and, in some cases, Social Security number.

Cook County Health said its legal counsel is working diligently to obtain the final list of patients from P&A and notification letters will be mailed when the list is obtained. Complimentary credit monitoring and identity protection services will be offered to the affected individuals. Cook County Health said it stopped sharing data with PJ&A when it learned about the data breach and terminated its business associate agreement with the company. The breach has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals to meet breach reporting requirements until the final patient list is provided.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

UPDATE: Cook County Health said it was informed by PJ&A that 1.2 million patients were affected. Northwell Health in New York has also announced that it was affected by the breach but has yet to disclose how many individuals were affected. PJ&A is now appearing on the HHS’ Office for Civil Rights Breach portal, which indicates 8,952,212 individuals were affected. You can view the latest updates on the PJ&A data breach here.

AIDS Alabama Discovers 10-Month Breach

The Birmingham, AL-based social services organization, AIDS Alabama, Inc., has discovered an unauthorized third party accessed its network. A third-party digital forensics firm was engaged to investigate the security breach and determined that its network was accessed by an unauthorized third party between October 11, 2021, and August 9, 2022, and during that time, sensitive data may have been viewed or obtained.

On August 14, 2023, AIDS Alabama determined that full names, addresses, Social Security numbers, medical diagnoses, healthcare provider names, health insurance information, email addresses, and the medical services received may have been compromised. The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 1,922 individuals.

Notification letters started to be mailed to the affected individuals on September 22, 2023. AIDS Alabama said it is committed to maintaining the privacy of personal information in its possession and has taken additional precautions to safeguard it and will continue to evaluate and modify its practices to enhance the privacy and security of personal information.

Gillette Children’s Specialty Healthcare Affected by MOVEit Hack at Business Associate

Gillette Children’s Specialty Healthcare has recently confirmed that the protected health information of 542 patients was compromised as part of the mass exploitation of a zero day vulnerability in Progress Software’s MOVEit Transfer application in May 2023.  The file transfer solution was used by its business associate, Nuance Communications, for exchanging information such as X-rays, MRIs, and other medical images.

While the attack occurred in May, Gillette Children’s Specialty Healthcare was not informed about the attack until August 7, 2023. The information compromised in the incident included names, dates of service, services provided, practitioner names, facility names, and for some patients, medical record numbers.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist