Hack on Medical Transcription Impacts 1.2 Million People in Chicago

Chicago Healthcare Provider Alerts Patients of Data Breach at Medical Transcription Vendor

Cook County Health, a key healthcare provider in Chicago serving underprivileged communities, has announced a significant data breach impacting up to 1.2 million patients. The breach occurred at a third-party medical transcription service provider, Perry Johnson & Associates (PJ&A), and has led to the compromise of sensitive patient information.

As a consequence of the breach, Cook County Health has ceased its relationship with the vendor, citing that the incident has also affected numerous other healthcare entities. The exposed data encompasses patient names, dates of birth, addresses, medical details, and service dates and times, with around 2,600 records also potentially revealing Social Security numbers.

"Cook County Health was among the many organizations hit by the cybersecurity incident at PJ&A. It is important to note that no internal systems or servers at Cook County Health were compromised," stated the healthcare provider. Following the discovery of the breach, Cook County Health immediately stopped transmitting data to PJ&A and terminated its contract with them.

The transcription vendor is actively collaborating with the FBI and cybersecurity experts to probe and mitigate the issue.

Experts like Jon Moore, Chief Risk Officer at Clearwater, have pointed out that the volume of medical records managed by transcription vendors, along with their extensive access to protected health information, makes them enticing targets for cybercriminals. These attackers may exploit such data for selling on the dark web or for committing identity theft and healthcare fraud. Furthermore, transcription companies may lack the resources to adequately invest in cybersecurity, potentially making them more susceptible to cyberattacks.

Details of the Breach

The breach was initially reported by Cook County Health in September, categorizing it as a hacking incident involving a business associate with at least 500 individuals affected, as per records with the HHS Office for Civil Rights' HIPAA Breach Reporting Tool. As yet, no breach reports by PJ&A have been listed on the HHS OCR website.

PJ&A has not provided detailed comments on the breach, including the total number of impacted clients and patients or whether ransomware was involved. In its public notice, PJ&A disclosed that an unauthorized entity accessed its network from March 27 to May 2, during which they acquired certain files. The compromised information did not include financial details or login credentials but did contain Social Security numbers, insurance details, and clinical information from medical transcription files for some individuals.

Responding to the Breach

In light of the breach, Mike Hamilton, CISO and co-founder of Critical Insight, emphasizes that immediate contract termination with a vendor post-incident depends on the contractual terms and the availability of service alternatives.

Hamilton further suggests that business associates dealing with PHI should be contractually obligated to manage the risk of unauthorized disclosure, including terms for contract termination in case of a breach.

When severing ties with a vendor due to a security incident, Moore highlights the importance of a structured approach. This involves vendor notification, maintaining access to patient records, and determining the fate of the shared data. Planning for data migration and care continuity is vital to avoid service disruptions for patients. Additionally, compliance with contractual obligations and regulatory standards, along with comprehensive documentation, is critical for legal and regulatory adherence.