PJ&A says cyberattack exposed data of nearly 9 million patients - BleepingComputer
2023-11-15 10:26 (EST)
PJ&A (Perry Johnson & Associates) is warning that a cyberattack in March 2023 exposed the personal information of almost nine million patients.
PJ&A provides medical transcription services to healthcare organizations in the United States.
The company said the threat actors breached their network and had access between March 27 and May 2, 2023. Its investigation revealed that the following information had been exposed to the threat actors:
Full name
Date of birth
Medical record number
Hospital account number
Admission diagnosis
Date and time of service
Social Security numbers (SSNs)
Insurance information
Medical transcription files (lab and diagnostic test results)
Medication details
Treatment facility and healthcare provider names
PJ&A began sending notices of a data breach on October 31, 2023, to alert impacted individuals that their sensitive healthcare information had been compromised.
PJ&A data breach notification for Northwell patients
Source: BleepingComputer
The data exposed for each person varies depending on what information they provided to the healthcare services and the type of treatment they received.
The information accessed by the unauthorized party does not include financial information or account credentials.
The exact number of the people affected by this cyber-incident had remained unknown until PJ&A submitted the relevant information to the breach portal of the U.S. Department of Health and Human Services Office for Civil Rights, which now confirms the number to be 8,952,212 patients.
Previously, Chicagos largest healthcare provider, Cook County Health (CCH), notified 1.2 million patients that their medical records had been breached in the PJ&A incident, announcing that it would terminate its relationship with the vendor as a result.
Yesterday, Northwell Health, New Yorks largest healthcare provider, announced it suffered an indirect data breach resulting from the PJ&A network compromise. The notification states that Northwell data was stolen between April 7 and April 19.
The number of impacted individuals who received care in Northwell Healths clinics and had their sensitive information exposed in this incident surpasses 3.8 million.
This means another four million people whose medical data was exposed through other healthcare providers have not been notified yet.
Bleeping Computer has contacted PJ&A with further questions about the attack, but a comment was not immediately available.
