A prominent healthcare provider in Chicago, known for serving underserved populations, is in the process of informing approximately 1.2 million patients that their personal information has been compromised in a data breach incident involving a medical transcription vendor. Cook County Health, the operator of two public hospitals and multiple community healthcare clinics in Illinois, has confirmed the termination of its association with the said vendor. It has also come to light that numerous other healthcare organizations have been affected by this security breach.
The breach notice reveals that the cyberattack targeted the systems of Perry Johnson & Associates (PJ&A). At this third-party transcription vendor, a portion of the hospital system’s patient data was stored. The stolen information encompasses patients’ names, birthdates, addresses, medical records, and the dates and times of their medical services. Alarmingly, about 2,600 of these patient records might have included Social Security numbers.
Cook County Health emphasized that the security incident at PJ&A did not breach any of its systems or servers. As soon as they became aware of the breach, Cook County Health promptly ceased sharing data with PJ&A and severed its ties with the vendor. PJ&A is now collaborating with the FBI and third-party cybersecurity experts to investigate and contain the breach.
The high volume of medical records processed by transcription vendors and the sensitive health information they handle make them attractive targets for cybercriminals. Jon Moore, the Chief Risk Officer at Clearwater, a privacy and security consulting firm, stated that this stolen data can be monetized through the dark web, utilized for identity theft, or exploited for healthcare fraud. Additionally, smaller medical transcription companies may lack the resources to invest in robust cybersecurity measures, rendering them more susceptible to cyberattacks.
Regarding the breach specifics, Cook County Health initially reported the incident to federal regulators in September, classifying it as a hacking incident involving a business associate and affecting 500 individuals. However, PJ&A’s reports were not posted on the Department of Health and Human Services Office for Civil Rights’ HIPAA Breach Reporting Tool as of the latest information available.
PJ&A has yet to respond to inquiries from Information Security Media Group regarding the scope of the breach, the number of affected clients and patients, and whether ransomware played a role. According to PJ&A’s public notice of the cyber incident, an unauthorized party accessed their network between March 27 and May 2, during which they acquired copies of certain files.
While the compromised data did not include credit card information, bank account details, usernames, or passwords, it did contain Social Security numbers, insurance information, and clinical data from medical transcription files. This clinical data covered laboratory and diagnostic test results, medications, the name of the treatment facility, and the names of healthcare providers.
In light of the incident, Cook County Health emphasized that it has discontinued data sharing with PJ&A. However, the immediate termination of a business relationship depends on the contractual terms, which may include provisions for termination in case of a cybersecurity incident. Moreover, the availability of alternatives for the provision of the service, such as medical transcription, plays a crucial role in such decisions.
Severing ties with a vendor after a healthcare data security breach necessitates a structured process. This includes notifying the vendor, ensuring continued access to patient records, deciding whether data should be returned or securely deleted, and planning for data migration and continuity of care to minimize disruptions inpatient services. Compliance with contractual obligations and regulations is of utmost importance, with detailed documentation essential for legal and regulatory purposes.