Medical Transcription Service Data Breach Impacts Multiple Health Systems

November 14, 2023 - UPDATE,11/16/2023: The HHS data breach portal now shows that the Perry Johnson & Associates data breach impacted nearly 9 million individuals, making it one of the largest reported healthcare data breaches this year.

Perry Johnson & Associates (PJ&A), a vendor that provides transcription services to healthcare organizations, recently disclosed a data breach that occurred in early May. Northwell Health and Cook County Health (CCH) have reported being impacted by the incident.

According to a breach notice shared with the California Attorney General’s Office, PJ&A discovered a data security incident on May 2, 2023 and promptly launched an investigation. The company later determined that an unauthorized third party had maintained access to its systems between March 27 and May 2.

The unauthorized party may have obtained protected health information, including names, dates of birth, medical record numbers, hospital account numbers, admission diagnoses, addresses, and dates of service. The breach also included Social Security numbers, insurance information, and clinical information from medical transcription files, such as medication information and test results.

Following PJ&A’s disclosure, Chicago, Illinois-based Cook County Health informed 1.2 million individuals that they may have been impacted by the breach. Upon learning of the incident, CCH said it terminated its relationship with PJ&A and stopped sharing data with the vendor.

Northwell Health, New York’s largest healthcare provider, also notified patients of the breach, though it did not disclose the exact amount of individuals impacted. The PJ&A breach was the second third-party data security incident to impact Northwell this year – the health system was also affected by the MOVEit hack at Nuance Communications.

“The privacy and security of your patient information is of the utmost importance to us,” PJ&A stated. “We sincerely regret this occurrence and apologize for any concern that it may cause you.”

Data Breach at McLaren Health Care Impacts 2.2M Individuals

McLaren Health Care determined that a July 2023 data breach impacted 2.2 million individuals, according to a breach notice provided to the Maine Attorney General’s Office. Headquartered in Grand Blanc, Michigan, McLaren Health Care consists of 13 hospitals, HMOs, ambulatory surgery centers, imaging centers, and a primary and specialty care physician network.

According to the breach notice, McLaren discovered suspicious activity within its systems on August 22, 2023. The health system later determined that an unauthorized third party had accessed its network between July 28 and August 23.

McLaren learned that the unauthorized third party had the ability to acquire certain information, potentially including names, Social Security numbers, health insurance information, billing information, diagnoses, medical record numbers, and prescription information.

“We take this event and the security of your information seriously. Upon learning of this event, we immediately took steps to secure our network and maintain operations in a safe and secure fashion. As part of our ongoing commitment to the privacy of personal information in our care, we are working to review our existing policies and procedures and to implement additional administrative and technical safeguards to further secure the information on our systems,” McLaren stated.

“Notice was also provided to federal law enforcement and to the U.S. Department of Health and Human Services. We remain committed to fully complying with all state and federal requirements and maintaining timely and transparent communication with our patients and the community.”

2.3M Records Implicated in Breach at Mail-Order Pharmacy Company

Postmeds, the parent company of online pharmacy retailer Truepill, recently disclosed a breach that impacted more than 2.3 million individuals. Postmeds provides online pharmacy delivery services and operates an online platform that enables users to manage prescriptions.

According the breach notice, a bad actor gained access to a subset of Postmeds files used for pharmacy management and fulfillment services on August 31, 2023. Further investigation determined that the files contained patient names, medication type, and demographic information.

Postmeds began notifying impacted individuals of the breach in late October and assured patients that it was working to enhance its security protocols and technical safeguards.

However, a lawsuit has since been filed, alleging that the Postmeds breach was a result of the company’s failure to implement adequate data security measures. The plaintiff allegedly suffered concrete injuries, including suspicious activity on his Venmo account and having his information spread on the dark web.  

The proposed class action lawsuit intends to represent anyone impacted by the breach.