A U.S. medical transcription service, Perry Johnson & Associates (PJ&A), fell victim to a cyberattack earlier this year, leading to the exposure of highly sensitive personal and health records of nearly nine million patients, making it one of the most severe medical-related data breaches to date.
PJ&A, based in Henderson, Nevada, offers transcription services to healthcare organizations and physicians for documenting patient notes.
According to a mandatory filing with the U.S. Department of Health and Human Services, PJ&A reported that over 8.95 million individuals were impacted by the breach, which started as early as March 2023. The affected patients were only notified about the breach six months later, on October 31.
The stolen data encompassed various confidential information, including patient names, dates of birth, addresses, medical record and hospital account numbers, admission diagnosis, and dates and times of service. Additionally, the compromised data also contained some Social Security numbers, insurance information, and clinical details from medical transcription files, such as laboratory and diagnostic testing results, medications, treatment facility names, and healthcare provider names, as stated in PJ&A’s data breach disclosure.
Despite the breach, the specifics of the cyberattack remain unknown, with PJ&A’s CEO Jeffrey Hubbard declining to comment on the matter.
Notably, at least two of PJ&A’s clients have verified the impact of the breach on their patients. For instance, Northwell Health confirmed that 3.89 million of its patients were affected, while Cook County Health stated that 1.2 million of its patients were impacted, with 2,600 patient records containing Social Security numbers.
Furthermore, around four million patients’ data is still unaccounted for at present.
PJ&A’s breach ranks as the second largest in 2023, falling behind HCA Healthcare’s theft of 11 million records, according to the Department of Health and Human Services’ data breach portal.
Notably, this disclosure comes amid similar cybersecurity incidents in the healthcare sector, including recent breaches affecting McLaren and Truepill, underscoring the escalating threat to patient data security.
If your organization is impacted by the PJ&A breach, you can reach out to the reporter via Signal, WhatsApp, or email.