NY AG Warns of ID Theft Risk in Medical Transcription Hack

New York regulators are warning millions of individuals of identity theft risks involving a data theft at a medical transcriber that has now affected patients of at least two major healthcare groups in the state, including Crouse Health and the previously disclosed Northwell Health.

See Also: OnDemand | Generative AI: Myths, Realities and Practical Use Cases

In a statement Wednesday, New York State Attorney General Letitia James said at least 4 million New Yorkers have been affected by the recent hack on Nevada-based medical transcription services vendor Perry Johnson & Associates.

“I urge all New Yorkers affected by this data breach to stay alert and take these important steps to protect themselves,” James said. “Bad actors can use the stolen information to impersonate individuals or cause financial harm. Identity theft is a serious issue, and my office will continue to take action to keep New Yorkers safe.”

The state attorney general’s office did not immediately respond to Information Security Media Group’s request for further details, including whether state regulators are investigating the PJ&A incident.

The New York attorney general’s office is one of the most active states in taking enforcement actions against organizations in the wake of large health data breaches that involve alleged violations of the federal HIPAA rules and state regulations.

The office smacked a radiology group, US Radiology Specialists, with a $450,000 fine involving a ransomware health data breach that affected 93,000 New Yorkers in 2021 (see: NY AG Hits Radiology Group With $450K Fine in SonicWall Hack).

PJ&A reported the incident to federal regulators earlier this month as affecting about 8.95 million individuals. Northwell Health, the largest healthcare provider in New York state, disclosed in mid-November that about 3.9 million of its patients had been affected by the PJ&A incident (see: Medical Transcriber’s Hack Breach Affected at Least 9 Million).

On Wednesday, Syracuse, New York-based nonprofit Crouse Health, which is licensed for 506 acute care beds and serves 15 counties in central and northern New York state, issued a breach notice disclosing that it too was a victim of the PJ&A hacking incident.

“The breach occurred earlier in 2023 at PJ&A and no Crouse systems were breached. Additionally, no evidence has been uncovered to indicate any Crouse patient data has been misused,” Crouse said.

Crouse Health did not immediately respond to ISMG’s request for additional details, including the number of its patients affected by its PJ&A incident.

PJ&A in a statement issued earlier this month said an unauthorized party had gained access to the company’s network between March 27 and May 2, during which time the attacker acquired copies of certain files from PJ&A systems.

Information potentially compromised in the attack includes name, birthdate, address, medical record number, hospital account number, admission diagnosis, and dates and times of service, PJ&A said.

For some individuals, Social Security numbers, insurance information and clinical information from medical transcription files – such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers – were also affected.

PJ&A said in its breach notice that the company has no evidence that individuals’ information has been misused for the purpose of committing fraud or identity theft.

In addition to Northwell Health and Crouse Health, Cook County Health in Illinois also recently reported to regulators that about 1.2 million of its patients had been affected by the PJ&A hack (see: Medical Transcription Hack Affects 1.2 Million Chicagoans).

The incident did not involve access to any systems or networks of PJ&A’s healthcare customers, the transcribing firm said.

Disturbing Trends

The PJ&A breach illustrates some of the most significant trends related to the security of health information these days, said regulatory attorney Paul Hales of the Hales Law Group.

“Business associate breaches have spiked because they are prime targets for criminals. A company like PJ&A accumulates health information of millions of patients to serve its healthcare provider clients,” Hales told ISMG. “A successful attack on one business associate is equal to hundreds of successful attacks on providers.”

Meanwhile, proposed federal class action lawsuits against PJ&A alleging negligence and other claims related to the hack continue to pile up. As of Thursday, at least 20 lawsuits had been filed against PJ&A. Of those, Northwell Health is named as a defendant or co-defendant in at least a dozen lawsuits.

“Private class action data breach plaintiffs have become the fastest-growing, most aggressive enforcers of laws protecting patient privacy,” said Hales, who is not involved in the PJ&A litigation.

“The new breed of class action lawsuits is more substantive, reflecting lessons learned from previous lawsuits that often were dismissed before trial. Class action law firms are publicizing their interest in this breach on the internet. Expect more class actions to be filed,” he said.

Many of the lawsuits filed against PJ&A so far also allege the company violated the Federal Trade Commission Act, Hales said. “Although the FTC has taken no public action in the PJ&A breach, it is now a major player in health data breach enforcement and signaled its intention to become even more active. We might see FTC activity related to this breach soon.”

State regulators also are becoming more aggressive in reprimanding entities that suffer breaches that put large numbers of citizens at risk, he said.

“Some states like New York are much more active protectors of health information due to strengthened consumer protection and health data breach laws,” he said.

Next week, New York is expected to publish draft proposals for hospital cybersecurity regulations. The proposals, which potentially come with $500 million in funding, are expected to be open for public comment for 60 days (see: NY State Eyes New Cyber Regs for Hospitals; $500M Price Tag).