9 million patients had data stolen after US medical transcription firm hacked

Close to nine million patients had highly sensitive personal and health information stolen during a cyberattack on a U.S. medical transcription service earlier this year, representing one of the worst medical-related data breaches in recent times.

The medical transcription company, Perry Johnson & Associates, or PJ&A, is a Henderson, Nevada-based company that provides transcription services to healthcare organizations and physicians for dictating and transcribing patient notes.

In a legally required filing with the U.S. Department of Health and Human Services, PJ&A said more than 8.95 million individuals are affected by the data breach that began as early as March 2023.

PJ&A said it began notifying patients whose information was breached six months later on October 31.

According to PJ&A's data breach disclosure, the stolen data included patient names and date of birth, their address, medical record and hospital account numbers, their admission diagnosis, and dates and times of service. The medical transcription company said the data also included some Social Security numbers, insurance and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the names of treatment facilities and the name of healthcare providers.

The exact nature of the cyberattack is not yet known. PJ&A chief executive Jeffrey Hubbard did not respond to a request for comment.

At least two of PJ&A's customers have so far come forward to confirm their patients are affected by the breach, including Northwell Health, the largest healthcare system in New York State.

Northwell Health spokesperson Jason Molinet confirmed to TechCrunch that 3.89 million of its patients are affected by the transcription company's data breach. It's the second breach of Northwell Health patient data this year after Nuance Communications, another transcription provider, had data stolen during a mass-hack earlier this year.

Cook County Health, a healthcare system in Illinois, said in a public notice that 1.2 million of its patients are affected by the breach, including 2,600 patient records that contained patient Social Security numbers.

The data of about four million patients remain unaccounted for at the time of writing.

PJ&A's data breach is second in size only to the theft of 11 million records by HCA Healthcare earlier this year, according to the Department of Health and Human Services' data breach portal, whose records date back to 2020.

News of the breach comes in the same week that healthcare giant McLaren said 2.2 million patients had data accessed by hackers during a ransomware attack in August. Online pharmacy startup Truepill also confirmed this week that hackers accessed sensitive data of 2.3 million patients, including medication details.

Do you work at an organization that is affected by the PJ&A breach? You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email. You can also contact TechCrunch via SecureDrop.