Cook County Health and Hospitals System reports data breach of third party supplier

Cook County Health (CCH) was recently alerted by an external service provider, Perry Johnson & Associates, Inc. (PJ&A), about a data breach that impacted their systems where certain CCH patient records were stored. Previously, PJ&A had been rendering medical transcription services for CCH.

On July 21, 2023, amidst their ongoing investigation into the matter, PJ&A apprised CCH about the cybersecurity breach they had experienced. PJ&A collaborated with both the FBI and external cybersecurity professionals. The examination revealed that in April 2023, an unauthorized entity had breached PJ&A's databases that housed CCH patient information. In light of these revelations, CCH promptly ceased all data exchanges with PJ&A and severed its contractual ties with them.

By October 9, 2023, PJ&A furnished CCH with a comprehensive list of patients affected by this breach. CCH is currently in the process of analyzing this list and intends to inform the concerned individuals at the earliest.

Importantly, no direct breach occurred on CCH's own systems or servers.

Presently, the compromised data might encompass details like

• names,
• dates of birth,
• residential addresses,
• medical record IDs,
• medical details,
• specifics of medical appointments,
• some Social Security numbers.

No details are provided about the number of affected individuals.

Update - Cook County Health reports that for 1.2 million patients were impacted. Personal patient information that could have been accessed included names, dates of birth, addresses, medical record numbers, encounter numbers, medical information, and dates/times of service. Approximately 2,600 of those patient records may also have included Social Security Numbers.

To address this, CCH plans to dispatch detailed letters to the affected patients, explaining the nature of the breach, suggesting measures to secure their data, and highlighting the support CCH can provide in this situation.

Those affected will also receive guidance on scrutinizing their credit reports and how to implement credit freezes if they deem it necessary. Should it emerge that any Social Security numbers were compromised, CCH will proactively provide the affected patients with complimentary credit monitoring and identity protection services.

As of now, CCH hasn't found any evidence suggesting the misuse of the compromised data. However, they recommend that patients be vigilant with their medical invoices for any irregularities.