Major Healthcare Breaches Unveiled: U.S. Medical Services Hit By Massive Data Compromises

In a shocking turn of events, close to nine million patients had their highly sensitive personal and health information pilfered during a cyberattack on Perry Johnson & Associates (PJ&A), a U.S. medical transcription service. This incident, marked as one of the worst medical-related data breaches in recent times, revealed vulnerabilities in the healthcare sector as it unfolded throughout 2023.

PJ&A, based in Henderson, Nevada, specializes in providing transcription services for dictating and transcribing patient notes to healthcare organizations and physicians. The extent of the breach, disclosed in a mandatory filing with the U.S. Department of Health and Human Services, disclosed that over 8.95 million individuals were affected by the breach, which commenced as early as March 2023. Patient notifications began six months later, on October 31st.

The stolen data included patient names, dates of birth, addresses, medical record and hospital account numbers, admission diagnoses, and dates and times of service. Additionally, some Social Security numbers, insurance details, and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, treatment facility names, and healthcare provider identities, were compromised. The exact nature of the cyber-attack remains undisclosed, as PJ&A CEO Jeffrey Hubbard did not respond to inquiries.

Two of PJ&A’s clients, Northwell Health in New York and Cook County Health in Illinois, have confirmed the impact on their patients. Northwell Health spokesperson Jason Molinet confirmed that 3.89 million of its patients were affected, marking the second breach of Northwell Health patient data in 2023. Cook County Health reported that 1.2 million of its patients were affected, with 2,600 of the exposed records containing Social Security numbers. Shockingly, data for around four million patients remain unaccounted for at the time of writing.

PJ&A’s data breach stands as the second-largest of 2023, following the theft of 11 million records from H.C.A. Healthcare, according to the Department of Health and Human Services’ data breach portal.

Coincidentally, this revelation comes in the same week as another major healthcare giant, McLaren Health Care, confirmed a cyberattack which compromised the sensitive personal and health information of 2.2 million patients. McLaren, a Michigan-based healthcare provider with 13 hospitals and around 28,000 employees, reported the incident in a new data breach notice filed with Maine’s attorney general. During this breach, patient names, dates of birth, Social Security numbers, billing and claims information, prescription and medication details, and diagnostic results and treatments were accessed. The compromise extended to Medicare and Medicaid patient information. McLaren only noticed the incident, occurring during a three-week period from July 28th to August 23rd, on August 31st.

Hackers later identified as the Alphv ransomware gang claimed responsibility for the McLaren cyberattack. Alphv, also known as BlackCat, had made the breach public in October, warning that it could impact large numbers of patients. Screenshots posted by the ransomware gang on its dark web leak site revealed access to the company’s password manager, internal financial statements, employee information, and spreadsheets containing patient-related personal and health information.

When approached for comments, McLaren spokesperson David Jones declined to provide additional details beyond the company’s public statement. Alphv/BlackCat claimed to have been in contact with a McLaren representative, but evidence of this claim remains unverified, and McLaren did not confirm whether a demand for payment was received or if any payment was made to the hackers. Furthermore, McLaren’s chief information security officer, George Goble, has not taken any interviews on the subject.

The McLaren and PJ&A incidents highlight the critical need for robust cybersecurity measures in the healthcare sector to safeguard patient information from malicious actors.

M. Shanawar Khan

Related