Medical Transcriber’s Hack Breach Affects at Least 9 Million

The number of healthcare organizations and patients affected by a recent data theft at medical transcription firm Perry Johnson & Associates is expanding: The company now says the breach affected the sensitive information of about 9 million people.

See Also: Live Webinar | Ransomware in the Cloud: Challenges and Security Best Practices

Nevada-based Perry Johnson & Associates, which does business as PJ&A, in a breach report filed on Nov. 3 to the Department of Health and Human Services’ Office for Civil Rights said the hacking incident has affected more than 8.95 million people.

In the meantime, Northwell Health – the largest healthcare system in New York State, with 21 hospitals and 900 outpatient facilities – has disclosed that it was one of the PJ&A clients affected by the hack.

A Northwell Health spokesman on Wednesday told Information Security Media Group that the PJ&A hack affected nearly 3.9 million Northwell Health patients.

“While none of Northwell’s systems were impacted by this cyberattack on PJ&A, Northwell has been informed by PJ&A that records relating to Northwell’s patients were among the files copied from PJ&A’s network,” Northwell Health said in a statement provided to ISMG.

Northwell Health’s statement about the PJ&A breach follows a recent disclosure by Cook County Health in Chicago saying that 1.2 million of its patients were affected by the PJ&A hack.

The Illinois public healthcare provider reported the incident to HHS OCR on Sept. 24 with a placeholder estimate of only 500 individuals affected (see: Medical Transcription Hack Affects 1.2 Million Chicagoans).

What’s unclear in PJ&A’s recent filing to HHS OCR is whether the nearly 9 million individuals the vendor reported as affected by the incident include any of the combined 5.1 million people that Cook County Health and Northwell Health said were victims of the PJ&A hack.

PJ&A did not immediately respond to ISMG’s requests for comment, including clarification about the total number of individuals and healthcare clients affected by the breach.

In any case, with at least 9 million people reported by PJ&A to HHS OCR as affected, the incident on Wednesday ranked as the second-largest health data breach posted to the federal agency’s HIPAA Breach Reporting Tool website so far in 2023.

The largest breach posted so far this year was an email hacking incident affecting nearly 11.3 million individuals reported in July by Tennessee-based HCA Healthcare (see: HCA Says Up to 11M Patients Affected by Email Data Hack).

Race to the Courthouse

Like many other organizations reporting large health data breaches – including HCA – PJ&A is also already facing a growing stack of proposed federal class action lawsuits related to the hack.

As of Wednesday, six proposed federal class action lawsuits had been filed in the last week against PJ&A. Northwell Health is named a co-defendant in at least four of those lawsuits, and Cook County Health is named a co-defendant in one of the complaints. Five of the lawsuits were filed in the U.S. District Court for the District of Nevada and one was filed in the U.S. District Court for the Eastern District of New York.

The allegations made in the lawsuit complaints are similar to those in many other proposed class actions involving data breaches: that the defendants were negligent in failing to protect the sensitive information of plaintiffs and class members from data security compromise.

“Northwell’s and PJ&A’s negligent conduct is ongoing, in that they – and their third-party vendors – still hold the personally identifiable information of the plaintiff and class members in an unsafe and unsecure manner,” alleges the lawsuit complaint filed Tuesday in New York by plaintiff Laurie Gay Gerber on behalf of herself and all others similarly situated.

Gerber’s lawsuit and the other cases seek relief including monetary damages and an injunctive order for the defendants to improve their data security practices.

Breach Details

PJ&A’s breach notice does not indicate when the security incident was first detected, but the company said an unauthorized party had gained access to its network between March 27 and May 2. During that time, the intruder acquired copies of certain files from PJ&A systems.

PJ&A determined that compromised files contained patients’ health information including name, birthdate, address, medical record number, hospital account number, admission diagnosis, and dates and times of service.

For some individuals, affected information also included Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility and the names of healthcare providers.

The files did not contain credit card information, bank account information or usernames or passwords, PJ&A said. The company said it has no evidence that individuals’ information has been misused.

Nevertheless, the multiple lawsuits filed against PJ&A so far contend that individuals affected by the incident face a present and substantial risk of fraud and identity theft.

Vendor Risk

Cook County Health in its notice to affected individuals said it has terminated its relationship with PJ&A. Northwell Health did not immediately respond to ISMG’s inquiry on whether it was still doing business with PJ&A.

The PJ&A incident is not Northwell Health’s only vendor data breach this year. Northwell Health was also among dozens of Nuance Communications’ clients affected by an exploitation earlier this year of a zero-day vulnerability in Progress Software’s MOVEit secure file transfer software (see: Nuance Notifying 14 NC Healthcare Clients of MOVEit Hacks).

Business associates have been culprits in many of the largest breaches so far this year affecting hundreds of healthcare sector organizations and millions of their patients.

A snapshot Wednesday of the HHS OCR breach reporting website shows that so far in 2023, some 583 breaches have been reported as affecting more than 102.4 million individuals.

Of those breaches, 230 incidents affecting more than 66.5 million individuals were reported as involving business associates. That means third-party vendors were involved in 40% of the major health data breaches reported to HHS OCR so far in 2023, but those incidents were responsible for about 65% of individuals affected.