Medical Transcription Hack Affects 1.2 Million ChicagoansCook County Health Says It Is Among the Vendor's 'Many' Clients Affected by Hack
A major healthcare provider in Chicago that targets underserved populations is notifying as many as 1.2 million patients that their information was compromised in a data theft incident at a medical transcription vendor.
Cook County Health, which operates two public hospitals and more than a dozen community healthcare clinics in Illinois, said it has terminated its relationship with the vendor and that it is among "many" other healthcare organizations affected by the incident.
A breach notice says the hack affected systems of Perry Johnson & Associates, the third-party transcription vendor, where "some" of the hospital system's patient information was stored.
The data includes names, birthdates, addresses, medical information, and the dates and times of service. Approximately 2,600 of those patient records may also have included Social Security numbers, CCH said.
"CCH is one of many organizations impacted by the PJ&A data security incident. No CCH systems or servers were accessed during this incident," CCH said. "Upon learning of the data security incident, CCH stopped sharing data with PJ&A, and terminated its relationship with PJ&A," the county health system said.
The transcription vendor is working with the FBI and third-party cybersecurity experts to investigate and contain the incident.
The sheer volume of medical records processed by transcription vendors and the wealth of protected health information they handle makes them appealing targets for hackers, said Jon Moore, chief risk officer at privacy and security consulting firm Clearwater.
"Cybercriminals can monetize this information by selling it on the dark web or using it for identity theft and healthcare fraud," he said.
"In addition, medical transcription companies may not always have the resources to prioritize or invest in cybersecurity like larger healthcare organizations. This could result in inadequate security measures, making them more vulnerable to cyberattacks."
CCH first reported the breach to federal regulators in September as a hacking incident involving a business associate and affecting 500 people, according the U.S. Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool, website listing health data breaches affecting 500 or more individuals.
As of Wednesday, no breach reports filed by PJ&A were posted on the HHS OCR website.
PJ&A did not immediately respond to Information Security Media Group's requests for details about the incident, including how many other clients and patients were affected and whether the breach involved ransomware.
PJ&A in its public notice about the cyber incident said an unauthorized party had gained access to the PJ&A network between March 27 and May 2, during which time the hacker acquired copies of certain files.
Information illegally accessed on PJ&A systems did not contain credit card information, bank account information or usernames or passwords, the company said. "For some individuals, however, the impacted data may have also included Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers," the company said.
Although Cook County Health said it has stopped sharing information with PJ&A, "cutting a business relationship immediately depends on contract terms, which may include termination for cause that includes a cyber incident that reflects back on the customer," said Mike Hamilton, CISO and co-founder of security firm Critical Insight.
"It would also depend on having an alternative for the provision of the service - in this case, medical transcription."
Hamilton said business associates that process PHI should be contractually managed in accordance with the risk of unauthorized disclosure.
"This should include terms that specify that a records breach or network compromise originating with that business associate constitutes grounds for contract termination, including language regarding the return or destruction of records in scope."
Severing ties with a vendor after a security incident involving healthcare data entails a structured process, Moore said. "It starts with notifying the vendor, ensuring continued access to patient records, and deciding whether data should be returned or securely deleted. Data migration and continuity of care planning are crucial to minimizing disruptions in patient services."
Contractual obligations and regulatory compliance also must be closely followed, with documentation of all actions is essential for legal and regulatory purposes, Moore said.