A cyberattack targeting a Nevada-based medical transcription company, Perry Johnson & Associates (PJ&A), has resulted in a massive data breach, exposing highly sensitive health information of approximately 9 million patients across various healthcare providers.
Northwell Health, New York State’s largest healthcare provider and employer, disclosed that nearly 4 million of its patients were impacted by the breach. Cook County Health in Illinois confirmed that 1.2 million of its patients were affected, while an additional 4 million patients from undisclosed locations were also compromised.
The severity of this breach ranks it among the most significant medical data breaches, as reported by the U.S. Department of Health and Human Services data breach list.
PJ&A, in a mandatory disclosure, revealed that the breach commenced as early as March, with affected patients notified only by the end of September. Stolen data encompassed fundamental patient details such as names, addresses, and dates of birth, along with admission diagnoses, some Social Security numbers, laboratory test results, diagnostic records, and medication details.
Northwell Health, although confirming none of its internal systems were affected, acknowledged that records of its patients were among those copied from PJ&A’s network. Despite no evidence of misuse to date, Northwell is providing impacted patients with complimentary identity theft protection services.
The breach, occurring between March 27 and May 2, allowed an unauthorized user access to the PJ&A network. The company has engaged a cybersecurity vendor to investigate, contain the threat, and fortify its systems, clarifying that the intrusion did not extend to its customers’ systems or networks.
PJ&A emphasized no evidence exists thus far regarding the exploitation of patients’ information for identity theft or fraudulent activities. However, a class action lawsuit has been initiated against both Northwell Health and PJ&A following this breach.
