Hackers stole the personal health data of nearly nine million people from a medical transcription service this past spring, in what is the second-largest breach to hit U.S. healthcare providers in at least two years.
The breach, which was publicly disclosed to California and federal regulators on Nov. 3, affects patients at a number of hospital systems across the country. Northwell Health, a large nonprofit network in New York, and Cook County Health, a public hospital system in Chicago, were both affected.
Nevada-based PJ&A, which provides transcription services to doctors and hospitals, said in an undated notice on its website that an “unauthorized party” accessed its computer network between late March and early May, and took copies of files containing personal health information.
The files contained data on 8,952,212 individuals, according to a database of data breaches of health information reported to the U.S. Department of Health and Human Services.
The specific information stolen varied by person, but included names, addresses, and initial diagnoses of the conditions for which they sought care. PJ&A also said that, for some individuals, hackers may also have accessed Social Security numbers, insurance information, test results, medications, and the names of doctors who treated them.
Hackers have been a particular and growing problem for the healthcare industry. Over the past two years, U.S. healthcare providers have reported large data breaches affecting more than 128 million individuals, according to the HHS database, which includes breaches of health information affecting more than 500 individuals going back 24 months.
Healthcare and public-health organizations were the victim of more ransomware attacks in 2022 than any other sector, the Federal Bureau of Investigation reported this year.
The largest healthcare data breach of the last two years involved
HCA Healthcare
(ticker: HCA), the publicly traded company that operates hospitals and other medical facilities across the U.S. That breach affected more than 11 million individuals. HCA discovered the breach on July 5 of this year and issued a public statement on July 10. It began notifying affected patients in mid-August.
PJ&A said in a notification filed with the California attorney general on Nov. 3 that it became aware of a potential data security incident on May 2. It said it determined on May 22 that customer data had likely been affected.
Cook County Health said in its own statement that PJ&A had informed it of a data-security incident on July 21.
PJ&A said in its notification that it hired a cybersecurity consultant to conduct an investigation, and that it informed customers of the results of the investigation on Sept. 29. Cook County Health says that it received a final list of its affected patients on Oct. 9. PJ&A said that it began notifying affected patients on Oct. 31.
PJ&A didn’t respond to a query about the timing of its disclosures.
Cook County Health and Northwell both said in statements that their own systems weren’t accessed by the intruder. Cook County Health, which said that records for 1.2 million of its patients were involved in the breach, has terminated its relationship with PJ&A.
Both Northwell and Cook County Health are offering identity-theft protection services to their affected patients at no cost.
Write to Josh Nathan-Kazis at josh.nathan-kazis@barrons.com
Read the full article here