Data breach hits 8.9M patients of medical transcription company

Cybercriminals are becoming increasingly clever at finagling access to valuable patient information, as one medical transcription company recently found out. Instead of making a beeline for a healthcare provider organization itself, hackers targeted the networks of Perry Johnson & Associates (PJ&A), with the resulting data breach exposed the personal health information of just under 9 million patients.

According to a breach notification filing with the Attorney General of California, the recently revealed attack actually began in March of 2023 and was discovered in May.

“On May 2, 2023, PJ&A became aware of a potential data security incident impacting PJ&A’s systems,” the company said. “Thereafter, we immediately launched an internal investigation and retained an external cybersecurity vendor to assist with the investigation, contain the threat and further secure its systems.”

“On May 22, 2023, we preliminarily determined that an unauthorized third party had accessed PJ&A data and that customer data was likely impacted by this event, although further investigation would be required to determine the scope of the impacted data and to identify all affected customers. The investigation ultimately determined that the unauthorized access to PJ&A systems occurred between March 27, 2023, and May 2, 2023, and that unauthorized access to personal health information … occurred between April 7, 2023, and April 19, 2023, with certain subsets of data accessed for shorter periods during this timeframe.”

During that time, cybercriminals were able to access a significant amount of patient information, possibly including full names, dates of birth, medical record and hospital account numbers, social security numbers, insurance information, and provider names. The breach also exposed sensitive clinical data, such as admission diagnoses, lab and diagnostic test results from medical transcription files, and medication details, for some patients.

PJ&A sent breach notification letters to victims on November 3, 2023, including an unconfirmed number of patients at Long Island-based Northwell Health.

In addition, at least 1.2 million patients at Cook County Health in Illinois are known to have been involved in the breach. The Cook County Health breach notification points out that not all patients had all types of data elements compromised. For example, only 2,600 may have had their social security numbers exposed.

Legal firms are already exploring the potential for class action lawsuits against the entities involved in the incident and are encouraging patients to come forward with more information.

This latest event means that the total number of patients affected by breaches in 2023 is now well in excess of 90 million. Cybercriminals have been extremely active during the second half of the year, with more than 45 million patients affected by unauthorized access in the third quarter alone.

Related content: Cybersecurity for modern healthcare – report

The PJ&A breach is a solemn reminder to healthcare organizations that they can’t just worry about their own systems. They also need to be aware of how their partners and HIPAA business associates (BAs) are working to keep their networks secure, particularly as financial and administrative relationships become more complex in the modern care environment.

Health system leaders should regularly review their obligations in business associate relationships and collaborate with these partners when developing breach response plans and running simulations. Open communication and transparency may be able to help both organizations react to breaches more quickly and make appropriate changes afterwards to prevent future attacks.

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.