Nearly 9 million patients' records compromised in data breach
A cyberattack on a medical transcription company compromised highly sensitive health data belonging to nearly four million patients at Northwell Health, New York State's largest healthcare provider and private employer.
The breach also impacted a healthcare system in Illinois, Cook County Health, which disclosed that 1.2 million of its patients were affected. About four million additional patients from undisclosed locations were also impacted.
The attack is one of the worst medical data breaches in recent years, according to a U.S. Department of Health and Human Services data breach list.
The Nevada-based transcription company, Perry Johnson & Associates (PJ&A), disclosed the breach earlier this month in a legally required filing, revealing that the breach began as early as March and that it did not begin to notify affected patients until the end of September.
According to a PJ&A notice, the stolen data not only included basic information like patient names, addresses and dates of birth, but also admission diagnoses, some Social Security numbers, laboratory and diagnostic testing results and medications.
A Northwell spokesperson said 3.89 million patients were affected and shared a statement confirming it had been informed of the breach by PJ&A.
“While none of Northwell’s systems were impacted by this cyberattack on PJ&A, Northwell has been informed by PJ&A that records relating to Northwell’s patients were among the files copied from PJ&A’s network,” the statement said.
The statement noted that Northwell is “not aware of any evidence of subsequent misuse of the information obtained from PJ&A’s network,” but is offering all impacted patients with a free identity theft service.
An unauthorized user gained access to the PJ&A network between March 27 and May 2, the company reported.
The PJ&A notice said the company has hired a cybersecurity vendor to “assist with the investigation, contain the threat, and further secure our systems.”
It noted that the incident did not allow the hacker to access systems or networks belonging to its customers and said there is no evidence to date of patients’ information being used for identity theft or fraud.
A class action lawsuit was filed against Northwell Health and PJ&A earlier this month.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.