Skip to main content
Medical Record

Perry Johnson & Associates Data Breach | Cook County Health

Written by Joseph Lyon on . Posted in Data Breach.

The Lyon Firm is investigating the Perry Johnson & Associates data breach that has allegedly impacted a large number of Cook County Health patients. Our class action privacy lawyers are representing plaintiffs nationwide affected by this security breach.

What Happened at Perry Johnson & Associates?

On July 21, 2023, Perry Johnson notified Cook County Health that a data security incident was detected and engaged third-party cybersecurity experts to assist with an investigation. According to the released PJ&A breach notice, a data breach was detected on May 2, 2023, and concluded that the Perry Johnson IT systems were accessed by an unauthorized individual between March 27, 2023, and May 2, 2023.

Cook County Health had contracted Perry Johnson & Associates, a Nevada medical transcription service provider. Cook County recently confirmed that the protected health information of up to 1.2 million patients has potentially been obtained in the cyberattack. How many Perry Johnson clients were affected is not known at this time, though Northwell Health has also been notified of a breach as well.

Who Is Impacted at Cook County Health?

Cook County Health operates John H. Stroger, Jr. Hospital of Cook County and Provident Hospital in Chicago, four pharmacies, and 15 community health centers in Cook County.

Cook County Health says it stopped sharing data with Perry Johnson when it was notified about the data breach though the damage had already been done. Although its own IT systems were not affected, the following information may have been compromised:

  • Names
  • Dates of birth
  • Addresses
  • Medical record numbers
  • Medical information
  • Social Security numbers
  • Insurance information
  • Laboratory and diagnostic testing results

Cook County Health said it will begin mailing data breach notification letters to the affected individuals. They have reported the incident to the Department of Health and Human Services’ Office for Civil Rights. The HIPAA Breach Notification Rule requires data breaches to be reported no later than 60 days from the initial discovery.

Vendors like Perry Johnson, which provide services to the healthcare industry, often require access to patient data, and can be targeted by cyberattacks relatively often. According to a report that analyzed healthcare data breaches in the first half of 2023, almost 50 percent of the healthcare records exposed were linked to cyberattacks on a third-party business vendor. Medical data theft is on the rise, and criminals can steal medical identities and engage in fraud with a small amount of personal data.

Our legal team is currently involved in many of the nation’s largest data breach cases, and has experience settling data privacy lawsuits in all fifty states. We aim to compensate victims following any data theft incident that puts us all at risk. Contact our lawyers for a free consultation.