Millions of patients have data stolen after medical transcription service hacked

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Hackers have breached Perry Johnson & Associates (PJ&A) and stole sensitive information belonging to almost nine million people. 

The company confirmed the news in a filing with the US Department of Health and Human Services, where it said it was breached in March 2023, before notifying affected individuals on October 31. 

A total of 8.95 million individuals are affected, with the stolen data including full names, birth dates, postal addresses, medical records, and hospital account numbers. Furthermore, the hackers took admission diagnoses, as well as dates and times of service. In some cases, the hackers also stole Social Security Numbers (SSN), insurance and clinical information from medical transcription files, and names of healthcare providers - all of which would be more than enough to stage highly convincing social engineering attacks (phishing, identity theft, etc.) and could result in many class-action lawsuits.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Attacker identity unknown

PJ&A is a company that provides transcription services to healthcare organizations and is based in Nevada, US. 

So far we don’t know the threat actor behind the attack, and whether or not this was a ransomware attack. The company is not currently responding to any requests for comment. We do know that Northwell Health, a major healthcare system in the State of New York, is affected, with at least 3.89 million patient records belonging to that company. The second company to come forward is Cook County Health, which has had 1.2 million of its patients’ data taken.

That leaves some four million records unaccounted for, at least for now.

It’s still unknown how the hackers breached PJ&A, but given the timeline, it’s safe to assume it wasn’t via the MOVEit managed file transfer service which started around May. The GoAnywhere MFT incident, however, was discovered in February this year.

Via TechCrunch

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.