An attack on medical transcription firm Perry Johnson & Associates (PJ&A) belatedly picked up the unwanted distinction of being 2023’s largest U.S. health sector data breach.
Nevada-based PJ&A provides transcription services for medical facilities across the country, meaning it stores sensitive data on millions of Americans.
The firm was breached by hackers between March 27 and May 2 last year, and the unidentified cybercriminals exfiltrated personal data from its systems from April 7 to April 9. PJ&A subsequently disclosed the breach impacted over 8.95 million individuals.
A number of the firm’s clients separately reported the impact on their patients, whose data PJ&A held. Among them was Chicago-based Cook County Health (CCH) which said it stopped using the firm’s services as a result of the breach after affecting 1.2 million of its patients.
New York's largest healthcare provider, Northwell Health, initially said 3.9 million of its patients were impacted, but did not refer to a specific number in subsequent statements.
Another P& J client earlier this month, Concentra Health Services, notified the Department of Health and Human Services (HHS) that the breach had impacted 3,998,162 of its patients.
Concentra is an occupational health care services provider operating 540 medical centers nationwide and 150 onsite clinics at employer locations.
In a notice on its website, the company said patients affected by the PJ&A breach should “remain vigilant against incidents of identity theft by reviewing their account statements, credit reports, and explanations of benefits forms for unusual activity and to detect errors."
HCA Healthcare breach supplanted by as sector's worst breach in 2023
A July cyberattack on Tennessee-based HCA Healthcare resulting in the theft of more than 11 million patient records was considered the most extensive health sector breach of 2023. Concentra’s recent HHS notification takes the total number of patients impacted by the PJ&A breach to over 14 million.
PJ&A previously said while the details stolen by the hackers varied from patient to patient, the compromised information could include patients’ names, dates of birth, addresses, medical record numbers, hospital account numbers, their diagnosis when admitted for care, and the dates and times they received treatment.
Other data that may have been exposed included Social Security numbers, insurance details, and clinical information from medical transcription files, such as test results, medications, the names of treatment facilities and healthcare providers.
Another major health sector data breach to be quantified this month as a result of a report filed to HHS was an attack on technology company HealthEC. The breach took place last July and, according to this month’s HHS filing, impacted 4.5 million records belonging to patients signed up to 18 healthcare providers.