Trigg County Hospital reports data breach caused by third party incident

Trigg County Hospital in Kentucky is reporting that patient information was compromised in a cyberattack targeting Blue & Co., LLC, an accounting and CPA firm that provides financial services to the hospital and other healthcare organizations across Kentucky. 

Blue & Co. discovered that an unauthorized actor had accessed one of its servers and removed data on December 9, 2024. The incident took place on or about November 7, 2024, and lasted for less than half an hour. 

The company isolated the affected server and engaged third-party forensic specialists to investigate the breach. The investigation completed on May 20, 2025 and confirmed that personal and health information provided to Blue & Co. by client companies was impacted. 

Exposed data includes:

• Names
• Social Security numbers
• Driver's license numbers
• Passport numbers
• Individual tax identification numbers
• Financial account information (with or without access credentials)
• Medical information and medical record numbers
• Diagnostic information and procedure types
• Admission dates and patient identification numbers
• Medicare identification numbers
• Billing and claims information
• Patient encounter numbers and treatment locations
• Treatment costs and prescription information
• Mental or physical condition details
• Treating or referring physician information
• Diagnostic codes and dates of birth
• Usernames and passwords
• Health insurance information

The number of affected individuals is not disclosed. The scope of the incident appears to be significant given Blue & Co.'s extensive client base across multiple healthcare organizations in Kentucky and other states.

Blue & Co. has established a dedicated assistance line at 866-819-2990, available Monday through Friday from 9:00 a.m. to 6:30 p.m. Eastern time, starting July 7, 2025. The company is sending direct notification letters to individuals whose data was involved, provided it has a valid mailing address for them.