A recent data breach at a medical transcription firm contracted by Cook County Health exposed the personal information of more than 1.2 million CCH patients, the health system said Friday.
The Cook County Health network includes two hospitals and more than a dozen community health centers across the Chicago area.
Some patient information was stored on servers at Nevada-based Perry Johnson & Associates, according to statements from both CCH and PJ&A. The transcription firm was the target of data theft sometime between March 27 and May 2 and later determined CCH patient data had been stolen.
About 2,600 patients’ Social Security numbers may have been taken during the data breach. Stolen data also included insurance information, medication history and the details of patients’ medical treatment. PJ&A said hackers did not gain access to any patients’ credit card numbers, bank accounts or any usernames and passwords.
PJ&A told Cook County Health about the breach July 26, at which point Cook County Health fired PJ&A and stopped sharing data with the company.
“While we have no evidence that individuals’ information has been misused for the purpose of committing fraud or identity theft, individuals whose information may have been involved are encouraged to review the notification they receive, including guidance on what they can do to protect themselves,” PJ&A said in an Oct. 1 statement.
PJ&A began mailing letters to patients whose data was affected Oct. 31. Letters should start arriving next week, according to Cook County Health. The health care network has had the full list of affected patients since Oct. 9.
In a statement, CCH said it encourages patients to look over their medical bills and credit reports in case they were affected.
“We apologize for this incident and will continue to work with our business associates to ensure that data is appropriately protected,” the health care network said in a statement.
Several other organizations that work with PJ&A were also targeted in the breach.
Those who have questions about their data after receiving a letter can call (833) 200-3558.