Perry Johnson & Associates (PJ&A), a provider of transcription services to healthcare providers, suffered a cyberattack in March 2023 and hackers gained access to parts of its network where files and databases were stored that contained the protected health information of patients of its customers.
According to the substitute breach notice on the PJ&A website, the forensic investigation revealed hackers had access to its network between March 27, 2023, and May 2, 2023, during which time files were exfiltrated. A third-party service provider was engaged to review the files to determine their precise contents and on or around September 29, 2023, PJ&A started notifying its affected customers. PJ&A said that it started mailing notification letters to the affected individuals on October 31, 2023.
PJ&A said the information compromised in the attack varied from individual to individual and may have included some or all of the following: name, date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. Some individuals may also have had their Social Security numbers, insurance information, and clinical information exposed. If applicable, clinical information in medical transcription files may have included laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers. Credit card information, bank account information, and usernames/passwords were not exposed.
PJ&A said it will continue to review and upgrade its security solutions and has implemented additional technical safeguards to prevent similar breaches in the future. The threat actor/group behind the attack is not known and, at this moment in time, no ransomware/extortion group appears to have claimed responsibility for the attack.
Cook County Health in Chicago, IL, confirmed last week that it was one of the affected customers and said approximately 1.2 million patients have had their protected health information exposed. Cook County Health terminated its business relationship with PJ&A when it was notified about the data breach and said it took until October to receive the final list of affected patients. New Hyde Park, NY-based Northwell Health, the largest healthcare provider in New York, also confirmed it had been affected. A draft statement was issued by Northwell Health – and retracted shortly thereafter – saying almost 3.9 million patients had been affected, although when retracting the statement Northwell Health said it hasn’t yet been confirmed how many individuals were affected.
The PJ&A data breach is now showing on the HHS’ Office for Civil Rights breach portal which shows 8,952,212 individuals have been affected. It is currently unclear whether that total includes all clients affected. Some PJ&A clients may have chosen to self-report the breach, which often happens with breaches at business associates.