PJ&A Data Breach Impacts About 9 Million Patients

About 9 million patients were impacted by a cyberattack on Perry Johnson & Associates. This transcription service provider’s data breach is the second-biggest healthcare data breach this 2023 and it is the 6th biggest healthcare data breach ever documented.

PJ&A is based in Henderson, Nevada, and provides transcription services to companies in the legal, medical, and government industries. It is the biggest privately owned transcription services company in the U.S. PJ&A noticed unauthorized activity inside its IT systems on May 2, 2023, and took fast action to segregate its systems and stop continuing unauthorized access. Third-party cybersecurity specialists were involved to inspect the occurrence and find out the nature and extent of the cyberattack, and if sensitive information was extracted from its networks.

The forensic investigation affirmed the unauthorized access to its system for over one month from March 27, 2023 to May 2, 2023, and in that period, there was unauthorized access to the information of its clients. PJ&A informed its customers concerning the cyberattack on July 21, 2023, and subsequently confirmed the unauthorized access to information; nevertheless, the investigation was in progress and it wasn’t possible to verify precisely what types of data were compromised or the number of people impacted.

The investigation of the PJ&A data breach was finished on September 28, 2023. On September 29, 2023, PJ&A began sharing the outcome of its investigation to the impacted customers. PJ&A stated the data viewed by the unauthorized party differed from one person to another and could have involved name, address, birth date, Social Security number, hospital account number, health record number, date/time of service, admission diagnosis, insurance details, and medical and clinical details. The medical and clinical data included in the transcription documents might have contained, lab and diagnostic test data, medications, the treatment facility name, and the healthcare company name. Clients did not provide credit card data, bank account details, and usernames/passwords to PJ&A and thus were not compromised.

On November 2, 2023, the breach report was submitted to the HHS’ Office for Civil Rights indicating that 8,952,212 persons were affected. PJ&A stated that it worked with the impacted clients after informing them. Whenever data breaches happen at business associates of HIPAA-regulated entities, the business associate usually submits the data breach report to OCR; nevertheless, it depends on the conditions of the business associate agreements (BAA). Individual covered entities could submit the breach report themselves. It is presently uncertain if the 8,952,212 persons include all impacted persons or if some clients are submitting the breach reports themselves. The total number submitted to OCR just comprises persons who had their protected health information (PHI) compromised and doesn’t include customers in other industries.

PJ&A mentioned in its breach notice that it has not found any actual or attempted improper use of the stolen information and has taken action to stop identical breaches later on, which include improving its technical security procedures. PJ&A did not mention offering credit monitoring and identity theft protection services to the impacted persons, though several impacted clients have stated the availability of those services.

Clients Impacted

PJ&A did not publicly reveal the number of its clients that were affected. At this point, only two impacted HIPAA-covered entities were confirmed: Northwell Health in New York and Cook County Health in Illinois.

Cook County Health (IL)

Cook County Health manages Provident Hospital of Cook County and John H. Stroger, Jr. Hospital of Cook County in Chicago, two health services which include the Cook County Department of Public Health, four pharmacies, and 15 community health centers located in Cook County, Illinois.

People impacted: 1.2 million

Northwell Health (NY)

Northwell Health, previously called North Shore-Long Island Jewish Health System, is the biggest healthcare company and private company in New York State and manages 23 hospitals which include Long Island Jewish Medical Center, and its flagship North Shore University Hospital, and 700 outpatient centers.

People impacted: Northwell Health Released a draft report stating 3,891,565 people were impacted, however that report was later retracted. The final number is not yet verified.

Salem Regional Medical Center (OH)

Salem Regional Medical Center located in Salem, OH, has stated it was impacted by the PJ&A data breach, which the hospital stated happened from March 2 to May 2, 2023. The breached data involved names, birth dates, addresses, telephone numbers, Social Security numbers, hospital account numbers, and medical records. The hospitals stated that PJ&A is offering complimentary identity theft protection.

People impacted: Not known

Investigations and Lawsuits Associated with the PJ&A Data Breach

The HHS’ Office for Civil Rights investigates all data breaches involving 500 and up persons to find out whether there were failures to adhere to the HIPAA Regulations. State Attorneys General likewise inspect data breaches and can enforce civil monetary penalties for of HIPAA and state legislation violations. PJ&A has just shared limited data concerning the nature of the breach to date and, according to the data available, no evidence shows the violation of any federal or state data security legislation.

Class action lawsuits are generally filed following healthcare data breaches. A breach of this size will probably see the filing of numerous class action lawsuits. Since the notification letters were already sent, expect the filing of the first lawsuits in a couple of days.

One of 2023’s Big Data Breaches

2023 is going to be a bad year with regard to healthcare data breaches. As of November 15, 2023, 583 data breaches involving 500 and up records were reported to the HHS’ Office for Civil Rights. What is quite alarming is the size of the data breaches. To date this year, the PHI of 102,407,662 persons were confirmed as compromised or stolen, which is about twice the 51,903,629 breached records in 2023. If big data breaches are reported at this rate, 2023 is going to be the worst-ever year when it comes to the number of compromised records.

OCR recently affirmed that 77% of healthcare data breaches are due to hacking incidents, big data breaches increased by 239% in the last 4 years and ransomware attacks increased by 278%. The number of data breach reports suggests healthcare companies are having difficulties with cybersecurity as sophisticated attacks increase.

New York lately reported that it is doing something to deal with the problem by having stricter cybersecurity rules for hospitals following some cyberattacks that impacted patient treatment. New York Governor Kathy Hochul likewise affirmed that $500 million was provided to assist hospitals in making the required enhancements to cybersecurity. New York is on top by doing something to enhance healthcare cybersecurity yet considering the seriousness of the issue, this should never be an issue for individual states to attempt to take care of. Congress must do more to fight the problem, for instance, HIPAA updates and/or financial bonuses and support for enhancing cybersecurity.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA