Nearly nine million patients had highly sensitive personal and health information stolen during a cyberattack on a US medical transcription service earlier this year, representing one of the worst medical data breaches in recent memory.
Medical transcription company, Perry Johnson & Associates, or PJ&A, is a Henderson, Nevada-based company that provides transcription services to healthcare organizations and physicians to dictate and transcribe patient notes.
In a legally required filing with the US Department of Health and Human Services, PJ&A said more than 8.95 million people are affected by the data breach that began as early as March 2023.
PJ&A said it began notifying patients whose information was breached six months later, on Oct. 31.
According PJ&A Data Breach Disclosure, the stolen data included patients’ names and date of birth, their address, medical record and hospital account numbers, their admission diagnosis, and dates and times of service. The medical transcription company said the data also included some Social Security numbers, insurance and clinical information from medical transcription records, such as lab and diagnostic test results, medications, the names of treatment facilities and the name of health care providers.
The exact nature of the cyber attack is not yet known. PJ&A CEO Jeffrey Hubbard did not respond to a request for comment.
At least two of PJ&A’s clients have come forward so far to confirm that their patients are affected by the breach, including Northwell Health, the largest health care system in New York State.
Northwell Health spokesman Jason Molinet confirmed to TechCrunch that 3.89 million of its patients are affected by the transcription company’s data breach. It’s Northwell Health’s second patient data breach this year, after Nuance Communications, another transcription provider, had data stolen during a massive breach earlier this year.
Cook County Health, a health care system in Illinois, said in a public announcement that 1.2 million of its patients are affected by the breach, including 2,600 patient records that contained patients’ Social Security numbers.
About four million patients’ data remains unknown at the time of writing.
PJ&A’s data breach is the second largest after HCA Healthcare stole 11 million records earlier this year, according to Department of Health and Human Services Data Breach Portalwhose records date back to 2020.
News of the breach comes the same week that healthcare giant McLaren said 2.2 million patients had data accessed by hackers during a ransomware attack in August. Online pharmacy startup Truepill also confirmed this week that hackers accessed 2.3 million patients’ sensitive data, including medication details.
Do you work for an organization affected by the PJ&A breach? This reporter can be reached on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com via email. You can also contact TechCrunch via SecureDrop.
