Cook County Health, a hospital system covering millions of residents in the Chicago area, faced a large data breach late last week.
What happened
In a news report, Cook County Health revealed that one of their previous partners, Perry Johnson & Associates (PJ&A), who at one time provided medical transportation services for Cook County Health hospitals and clinics, experienced a data breach earlier this spring. Cook County Health was informed of the incident in July.
PJ&A said that an unauthorized individual accessed patient data, potentially exposing the data of Cook County Health patients. The company conducted an internal investigation that revealed their IT network had been accessed between March 27th and May 2nd.
Once the discovery was made by Cook County Health, they terminated their contract with PJ&A and ceased all data-sharing.
Read more: HIPAA Compliant Email: The Definitive Guide
What’s new
On October 9th, PJ&A provided a final list of affected patients, which totaled approximately 1.2 million Cook County Health patients.
Information exposed included names, dates of birth, addresses, medical record information, and more. The company estimates approximately 2,600 patients’ Social Security numbers may have been compromised.
Cook County Health says they are currently notifying affected patients, along with tips on data protection and credit monitoring.
What was said
In a statement, Cook County Health said they have “no evidence that any personal information has been misused. However, patients should monitor medical bills for any suspicious activity…CCH is committed to upholding our patients’ privacy. We apologize for this incident and will continue to work with our business associates to ensure that data is appropriately protected.”
PJ&A similarly released a statement, saying, “We value individuals’ privacy and deeply regret any concern that this might cause. To help prevent something like this from happening again, PJ&A continues to review its safeguards and has implemented additional technical security measures to further protect and monitor its systems.”
Why it matters
While data leaks can happen, hospitals and other HIPAA-covered entities are obligated to keep private health information reasonably secure.
As data breaches continue to impact healthcare organizations, many find that on top of dealing with data recovery and re-securing processes, they are also facing lawsuits.
Neither Cook County Health nor PJ&A are currently facing legal repercussions, but that could change as information is released.
The best way to avoid lawsuits and other financial implications is to ensure data is as secure as possible.
Related: Bienville Orthopaedic Specialists face lawsuit after data breach
The bottom line
Cook County Health and PJ&A have not revealed any further specifics on the data breach. More information is likely to be known in the coming months.
In the meantime, healthcare organizations should consider their current safety and response measures. By paying close attention to guidances and news releases, organizations can stay ahead of cyberattack trends.
Read more: The Joint Commission releases guidance on cyberattack response
Abby Grifno
