Perry Johnson & Associates says data breach compromised health records of almost 9m people

Perry Johnson & Associates, a Nevada-based medical transcription service provider, said it suffered a massive cyber attack that compromised the sensitive personal information of almost 9 million individuals.

In a cyber security incident notification released this week, Perry Johnson & Associates (PJ&A) said its internal network was infiltrated by an unauthorised third party between March 27 and May 2, during which the third party accessed and acquired copies of certain files from its internal systems.

PJ&A said it immediately launched an internal investigation with assistance from third party cyber security experts to understand the nature and scope of the security incident.

The investigation revealed that the threat actor was able to access sensitive healthcare information of a large number of individuals. The compromised information included names, dates of birth, addresses, Social Security numbers, medical record numbers, hospital account numbers, admission diagnosis, dates and times of service, insurance information, clinical information from medical transcription files, including laboratory and diagnostic test results, medications, name of the treatment facility, and the name of healthcare providers.

PJ&A has clarified that the compromised data doesn’t include credit card information, bank account information, usernames or passwords.

In a filing with the U.S. Department of Health and Human Services Office for Civil Rights, the company reported that at least 8,952,212 individuals were affected by the incident.

“While we have no evidence that individuals’ information has been misused for the purpose of committing fraud or identity theft, individuals whose information may have been involved are encouraged to review the notification they receive, including guidance on what they can do to protect themselves, should they feel it is appropriate to do so,” the company said.

PJ&A has started notifying all the affected individuals about the data breach since October 31 and has urged them to remain vigilant and keep an eye out for any suspicious activities in their credit reports. The company has also set up a dedicated helpline where impacted individuals can call and get their queries answered.

Earlier this month, Illinois-based Cook County Health disclosed a significant data breach as a result of a data security incident suffered by PJ&A. According to the company’s investigation, at least 1.2 million patients had their personal data compromised in the data breach. 

 

The compromised data included their names, dates of birth, addresses, medical record numbers, encounter numbers, medical information, and dates and times of service. Approximately 2,600 of those patient records also included Social Security Numbers.