PJ&A (Perry Johnson & Associates) is warning that a cyberattack in March 2023 exposed the personal information of almost nine million patients.
PJ&A provides medical transcription services to healthcare organizations in the United States.
The company said the threat actors breached their network and had access between March 27 and May 2, 2023. Its investigation revealed that the following information had been exposed to the threat actors:
- Full name
- Date of birth
- Medical record number
- Hospital account number
- Admission diagnosis
- Date and time of service
- Social Security numbers (SSNs)
- Insurance information
- Medical transcription files (lab and diagnostic test results)
- Medication details
- Treatment facility and healthcare provider names
PJ&A began sending notices of a data breach on October 31, 2023, to alert impacted individuals that their sensitive healthcare information had been compromised.
The data exposed for each person varies depending on what information they provided to the healthcare services and the type of treatment they received.
The information accessed by the unauthorized party does not include financial information or account credentials.
The exact number of the people affected by this cyber-incident had remained unknown until PJ&A submitted the relevant information to the breach portal of the U.S. Department of Health and Human Services Office for Civil Rights, which now confirms the number to be 8,952,212 patients.
Previously, Chicago’s largest healthcare provider, Cook County Health (CCH), notified 1.2 million patients that their medical records had been breached in the PJ&A incident, announcing that it would terminate its relationship with the vendor as a result.
Yesterday, Northwell Health, New York’s largest healthcare provider, announced it suffered an indirect data breach resulting from the PJ&A network compromise. The notification states that Northwell data was stolen between April 7 and April 19.
The number of impacted individuals who received care in Northwell Health’s clinics and had their sensitive information exposed in this incident surpasses 3.8 million.
This means another four million people whose medical data was exposed through other healthcare providers have not been notified yet.
Bleeping Computer has contacted PJ&A with further questions about the attack, but a comment was not immediately available.