Cook County Health and Hospitals System

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Cook County Health (CCH) experienced a data breach due to a cyberattack on Perry Johnson & Associates, Inc. (PJ&A), an external vendor that previously provided medical transcription services for CCH. The breach was first detected by PJ&A, who informed CCH on July 21, 2023, that they were investigating a cyberattack. It was confirmed on July 26, 2023, that an unauthorized individual accessed PJ&A systems where CCH patient data was stored between March 27 and May 2, 2023[1][2][3][4][6][7][12][13][15][16][20][22].

The breach potentially exposed the personal information of approximately 1.2 million CCH patients. The compromised data included names, dates of birth, addresses, medical record numbers, encounter numbers, medical information, dates/times of service, and for about 2,600 patients, Social Security numbers[1][2][3][4][6][7][12][13][15][16][20][22]. PJ&A has stated that no credit card numbers, bank accounts, or usernames and passwords were accessed[13].

Upon learning of the incident, CCH ceased data sharing with PJ&A and terminated their relationship. CCH has been notifying affected patients and providing them with information on how to protect their data, including credit monitoring and identity protection services[1][2][3][4][6][7][12][13][15][16][20][22]. As of the knowledge cutoff date, there was no evidence that the exposed information had been misused for fraud or identity theft[4][15].

The breach has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals, which is a requirement for breaches of this size[2][12]. PJ&A has been working with the FBI and external cybersecurity experts to investigate and contain the incident[1][2]. They have also implemented additional technical security measures to prevent future breaches[3].

Patients who may have been affected by the breach can call (888) 867-3881 for more information[1][6].

Citations:

  1. https://cookcountyhealth.org/compliance-notice/
  2. https://www.hipaajournal.com/cook-county-health-cyberattack-medical-transcription-firm/
  3. https://www.paubox.com/news/over-1-million-illinois-residents-face-data-breach
  4. https://www.chicagotribune.com/2023/11/04/after-major-data-breach-personal-information-of-12-million-cook-county-health-patients-at-risk/
  5. https://en.wikipedia.org/wiki/Chicago
  6. https://www.cbsnews.com/chicago/news/cook-county-health-warns-of-data-breach-for-1-2-million-patients-at-medical-transportation-firm/
  7. https://healthitsecurity.com/news/medical-transcription-service-data-breach-impacts-multiple-health-systems
  8. https://iic.ccsheriff.org
  9. https://www.nbcchicago.com/news/local/cook-county-health-data-breach-could-mean-blackmail-fake-medical-bills-and-years-of-headache-for-patients/3283438/
  10. https://www.idstrong.com/sentinel/another-medical-information-breach-out-of-chicago/
  11. https://www.databreachtoday.com
  12. https://www.hipaajournal.com/cook-county-health-1-2-million-breach-business-associate/
  13. https://www.bankinfosecurity.com/medical-transcription-hack-affects-12-million-chicagoans-a-23555
  14. https://www.cbsnews.com/?ftag=CNM-16-10abc6g
  15. https://www.nbcchicago.com/news/local/cook-county-health-data-breach-exposes-personal-information-of-1-2m-patients/3269006/
  16. https://abc7chicago.com/cook-county-health-data-breach-medical-information-personal-stolen/14009331/
  17. https://www.northwell.edu
  18. https://cookcountyhealth.org/top_stories/privacy-breach-public-notice/
  19. https://abcnews.go.com
  20. https://wgntv.com/news/cook-county/1-2m-patients-impacted-after-cook-county-health-data-breach/
  21. https://www.wkrg.com/mobile-county/davidson-high-school-principal-placed-on-administrative-leave/
  22. https://chicago.suntimes.com/news/2023/11/7/23950691/data-breach-potentially-affected-up-to-1-2-million-cook-county-health-patients
  23. https://www.cnn.com
Breach Submission Date Sep 24, 2023
Converted Entity Name Cook County Health and Hospitals System
Converted Entity Type Healthcare Provider
State IL
Individuals Affected 500
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes