9M Records Stolen After Medical Transcription Firm Hacked

Perry Johnson & Associates (PJ&A), a medical transcription service provider based in Nevada, has fallen victim to a cyberattack, compromising the personal and health information of 8,952,212 Americans. The breach, which occurred between March 27 and May 2, was confirmed by PJ&A in a filing with the US Department of Health and Human Services. The company began notifying affected individuals on October 31.

The stolen data encompasses a range of sensitive information. Patient names, dates of birth, addresses, medical record and hospital account numbers, admission diagnoses, and dates and times of treatment were among the compromised details.

Additionally, the breach included the potential exposure of Social Security numbers, insurance information, and clinical data extracted from medical transcription files, including test results, medications, treatment facility names, and healthcare providers.

Luckily, the breach did not involve credit card or bank account information, nor did it compromise usernames or passwords. Despite the alarming nature of the incident, PJ&A assured the public that there is currently no evidence indicating the misuse of the stolen data for fraud or identity theft.

Two major healthcare providers affected by the breach include Northwell Health, the largest healthcare provider in New York State, and Chicago-based Cook County Health. Northwell Health initially reported 3.9 million affected individuals, while Cook County Health confirmed 1.2 million affected patients.

The breach adds to a growing list of cybersecurity challenges faced by the healthcare industry, following similar incidents reported by McLaren Health Care and Truepill in the same month. It’s also the second-largest breach in recent times, only behind the HCA Healthcare breach that saw 11 million records stolen.

PJ&A has not disclosed specific details about the method used in the cyberattack or the identity of the threat actor responsible. However, upon discovering the breach, the company took immediate action, hiring a cybersecurity vendor and notifying law enforcement. Measures implemented include additional technical restrictions, a password reset for all employees, and the deployment of an endpoint detection and response system to monitor unauthorized access.