Hackers have breached Perry Johnson & Associates (PJ&A) and stole sensitive information belonging to almost nine million people.
The company confirmed the news in a filing with the US Department of Health and Human Services, where it said it was breached in March 2023, before notifying affected individuals on October 31.
A total of 8.95 million individuals are affected, with the stolen data including full names, birth dates, postal addresses, medical records, and hospital account numbers. Furthermore, the hackers took admission diagnoses, as well as dates and times of service. In some cases, the hackers also stole Social Security Numbers (SSN), insurance and clinical information from medical transcription files, and names of healthcare providers – all of which would be more than enough to stage highly convincing social engineering attacks (phishing, identity theft, etc.) and could result in many class-action lawsuits.
Attacker identity unknown
PJ&A is a company that provides transcription services to healthcare organizations and is based in Nevada, US.
So far we don’t know the threat actor behind the attack, and whether or not this was a ransomware attack. The company is not currently responding to any requests for comment. We do know that Northwell Health, a major healthcare system in the State of New York, is affected, with at least 3.89 million patient records belonging to that company. The second company to come forward is Cook County Health, which has had 1.2 million of its patients’ data taken.
That leaves some four million records unaccounted for, at least for now.
It’s still unknown how the hackers breached PJ&A, but given the timeline, it’s safe to assume it wasn’t via the MOVEit managed file transfer service which started around May. The GoAnywhere MFT incident, however, was discovered in February this year.
More from TechRadar Pro