Personal and health information belonging to 9 million Americans was compromised in a cyberattack against medical transcription service provider Perry Johnson & Associates (PJ&A).
The attack, which is yet to be attributed to a specific threat actor, was the second largest breach of U.S. health-related data this year. In July, Tennessee-based HCA Healthcare reported a breach involving the theft of 11 million patient records.
PJ&A began writing to affected individuals on Oct. 31, advising them its systems were breached between March 27 and May 2, with the hackers gaining access to personal health information between April 7 and April 19.
It wasn’t until this week, however, that the scale of the attack was revealed when PJ&A notified the Department of Health and Human Services that the incident had impacted 8,952,212 individuals.
The company said while the details stolen varied from patient to patient, the compromised information could include patients’ names, dates of birth, addresses, medical record numbers, hospital account numbers, their diagnosis when admitted for care, and the dates and times they received treatment.
Other data that may have been exposed included Social Security numbers, insurance details, and clinical information from medical transcription files, such as test results, medications, the names of treatment facilities and healthcare providers.
PJ&A said the breached information did not include credit card or bank account information, or usernames or passwords.
Also this week, Northwell Health, New York State’s largest healthcare provider, said “certain patients’ personal information” was affected by the PJ&A breach. In early statements, the organization mentioned a figure of 3.9 million affected individuals, but later stopped referring to a specific number.
On its website, Northwell Health posted a statement from PJ&A about the incident which said PJ&A had not seen evidence that the stolen data had been abused to commit fraud or identity theft.
Some Northwell patients were impacted by May’s MOVEit Transfer hack. Among the organizations targeted by the Cl0p ransomware gang in the MOVEit attacks was Nuance Communications, a vendor used by Northwell.
On Nov. 3, Chicago-based Cook County Health (CCH) said 1.2 million of its patients were affected by the PJ&A breach.
“Upon learning of the data security incident, CCH stopped sharing data with PJ&A, and terminated its relationship with PJ&A,” the organization said.
PJ&A has not provided details of how its systems were hacked, or who is believed to be responsible, but said when it discovered the incident it immediately hired a cybersecurity vendor and notified law enforcement.
“We implemented additional technical restrictions in our systems, and we performed a password reset for all employees,” the company said.
“Additionally, with the assistance of our cybersecurity vendor, we deployed an endpoint detection and response system to monitor any unauthorized access of our systems.”
In two other major, unrelated U.S. healthcare information breaches reported this month, Michigan-based McLaren Health Care said a breach from July to August resulted in personal information of 2.2 million individuals being stolen. The ALPHV/BlackCat ransomware operation claimed responsibility for the attack. And mail-order pharmacy provider Truepill, also known as Postmeds, reported data belonging to more than 2.3 million individuals was compromised following a breach of its systems in late August.