9 million patients data stolen after US medical transcription company hacked

Nearly nine million patients had their highly sensitive personal and health information stolen during a cyberattack on a US medical transcription service earlier this year, representing one of the worst ever medical-related data breaches in today’s times.

The medical transcription company, Perry Johnson & Associates, or PJ&A, is a Henderson, Nevada-based company that provides transcription services to health care organizations and physicians for dictating and transcribing patient note.

In a legally required filing with the US Department of Health and Human Services, PJ&A said more than 8.95 million individuals were affected by the data breach that began in March 2023.

PJ&A said it began notifying patients whose information was breached six months later on Oct. 31.

According to PJ&A data breach disclosure, the stolen data included patient names and dates of birth, their addresses, medical record and hospital account numbers, their admission diagnosis, and dates and times of service. The medical transcription company said the data also includes some Social Security numbers, insurance and clinical information from medical transcription files, such as laboratory and diagnostic test results, medications , names of treatment facilities, and the name of health care providers.

The exact nature of the cyberattack is still unknown. PJ&A chief executive Jeffrey Hubbard did not respond to a request for comment.

At least two of PJ&A’s customers have come forward to confirm that their patients were affected by the breach, including Northwell Health, the largest health care system in New York State.

Northwell Health spokesperson Jason Molinet confirmed to TechCrunch that 3.89 million of its patients were affected by the transcription company’s data breach. This is Northwell Health’s second patient data breach this year after Nuance Communications, another transcription provider, had data stolen during a mass hack earlier this year.

Cook County Health, a health care system in Illinois, said in a public notice that 1.2 million of its patients were affected by the breach, including 2,600 patient records containing patient Social Security numbers.

Data on about four million patients remains anonymous at the time of writing.

The PJ&A data breach is second in size to the theft of 11 million records at HCA Healthcare earlier this year, according to Department of Health and Human Services data breach portalwhose records begin in 2020.

News of the breach comes the same week that healthcare giant McLaren said 2.2 million patients had their data accessed by hackers during a ransomware attack in August. Online pharmacy startup Truepill also confirmed this week that hackers accessed sensitive data on 2.3 million patients, including medication details.


Do you work for an organization affected by a PJ&A breach? You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com via email. You can also contact TechCrunch through SecureDrop.

Leave a comment