US medical transcription firm Perry Johnson & Associates (PJ&A) fell victim to a significant cyberattack earlier this year, resulting in the theft of highly sensitive personal and health data belonging to nearly nine million individuals.
PJ&A, a company specializing in providing transcription services to healthcare organizations and physicians for dictating and transcribing patient notes, disclosed the alarming breach in a mandatory filing with the US Department of Health and Human Services.
The breach, which commenced as early as March, has left an indelible impact on over 8.95 million individuals. According to TechCrunch, this incident is one of the worst medical-related data breaches in recent memory.
Professor Jean-Yves Marion, head of the Loria (Lorraine Laboratory for Research in Computer Science and Applications) delivers a speech in front of a screen showing a dynamic analysis of a software containing a malware in the cyber-security software Gorille, at LORIA headquarters in Villers-les-Nancy, on October 25, 2023.
Medical Transcription Firm Perry Johnson & Associates' Stolen Data
According to PJ&A's official statement, patient notification of the data breach occurred on October 31. The stolen data encompasses a wide array of sensitive information, including patient names, date of birth, addresses, hospital account and medical record numbers, admission diagnoses, and the dates and times of service.
Moreover, the compromised data includes some Social Security numbers, insurance details, and clinical information extracted from medical transcription files.
This information incorporates laboratory and diagnostic testing results, medications, treatment facility names, and the names of healthcare providers. PJ&A emphasized its commitment to safeguarding information and initiated the notification process promptly after discovering the breach.
The unauthorized access occurred between March 27 and May 2, during which the cyber intruder obtained copies of specific files from PJ&A's systems. The company promptly engaged a cybersecurity vendor to investigate, contain the threat, and fortify its systems against future breaches.
As detailed in PJ&A's disclosure, the breach did not compromise the systems or networks of the company's healthcare customers. The accessed files contained personal health information but excluded credit card information, bank account details, or login credentials.
Nonetheless, the stolen data included Social Security numbers, insurance particulars, and additional clinical details for some individuals.
Read Also: MOVEit Hack: Massive Medical Data Breach Exposes Millions of Americans' Sensitive Health Info
Comprehensive Review
PJ&A undertook a comprehensive review of the affected files to address the situation and provided the results to impacted customers starting September 29. The company collaborated with the customers to notify individuals whose information was identified during the review.
Despite the lack of evidence suggesting the misuse of individuals' information for fraudulent purposes or identity theft, PJ&A encouraged affected individuals to carefully review the notifications they receive.
The notifications offer guidance on protective measures should individuals deem it necessary. Expressing deep regret over potential concerns stemming from the incident, PJ&A outlined its commitment to preventing future breaches.
The company said it is reviewing its security measures, implementing additional technical safeguards, and intensifying monitoring efforts to fortify its systems.
Related Article: US Dental Health Insurance Firm Hit By Ransomware Attack: Nearly 9 Million Patients Exposed
