Nearly nine million patients had highly sensitive personal and medical information stolen in a cyberattack on a U.S. medical transcription service earlier this year, representing one of the worst medical data breaches in recent memory. time.
Medical transcription company, Perry Johnson & Associates, or PJ&A, is a Henderson, Nevada-based company that provides transcription services to healthcare organizations and physicians to dictate and transcribe patient notes.
In a legally required filing with the U.S. Department of Health and Human Services, PJ&A said more than 8.95 million people are affected by the data breach that began as early as March 2023.
PJ&A said it began notifying patients whose information had been breached six months later, on October 31.
According to PJ&A Data Breach Disclosure, the stolen data included patients’ names and dates of birth, addresses, medical records and hospital account numbers, admission diagnoses, and dates and times of service. The medical transcription company said the data also included certain Social Security numbers, insurance and clinical information from medical transcription records, such as laboratory and diagnostic test results, medications, names of treatment facilities and the names of health care providers.
The exact nature of the cyberattack is not yet known. PJ&A Chief Executive Officer Jeffrey Hubbard did not respond to a request for comment.
At least two PJ&A clients have so far confirmed that their patients were affected by the breach, including Northwell Health, the largest health system in New York state.
Northwell Health spokesperson Jason Molinet confirmed to TechCrunch that 3.89 million of its patients are affected by the transcription company’s data breach. This is Northwell Health’s second patient data breach this year after Nuance Communications, another transcription provider, had data stolen in a massive hack earlier this year.
Cook County Health, a health system in Illinois, said in a public notice that 1.2 million of its patients are affected by the breach, including 2,600 patient records containing Social Security numbers.
Data for approximately four million patients remains unaccounted for at the time of writing.
The PJ&A data breach is second in size to the theft of 11 million files by HCA Healthcare earlier this year, according to the Department of Health and Human Services Data Breach Portalwhose records date back to 2020.
News of the breach comes the same week as Healthcare giant McLaren said hackers accessed data on 2.2 million patients. during a ransomware attack in August. Online pharmacy startup Truepill also confirmed this week that hackers accessed sensitive data of 2.3 million patientsincluding medication details.
Do you work in an organization affected by the PJ&A violation? You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or [email protected] by email. You can also contact TechCrunch via SecureDrop.