Millions of New Yorkers' PHI exposed in data breach

Perry Johnson & Associates, a medical transcription company, experienced a significant data breach in early 2023, affecting 9 million patients, including 4 million New Yorkers.

What happened 

Perry Johnson & Associates (PJ&A), a Nevada-based medical transcription company, experienced unauthorized access to their network between March 27, 2023, and May 2, 2023. Although the breach did not extend to the systems of PJ&A's healthcare clients, the compromised data included individuals' names, birth dates, addresses, medical and hospital account numbers, and details of medical services received. Social Security numbers, insurance details, and clinical information from transcriptions were also exposed for some. Fortunately, financial data like credit card or bank information was not accessed.

PJ&A notified affected individuals in late October 2023. While there is no evidence of misuse of the information for fraud or identity theft, the breach raised considerable concerns, prompting New York Attorney General Letitia James to urge those affected to take protective measures, such as monitoring their credit, placing credit freezes, and reviewing their medical records. 

See also: HIPAA Compliant Email: The Definitive Guide

What they're saying

A press release by the New York Attorney General stated: “I urge all New Yorkers affected by this data breach to stay alert and take these important steps to protect themselves, bad actors can use the stolen information to impersonate individuals or cause financial harm. Identity theft is a serious issue, and my office will continue to take action to keep New Yorkers safe.”

Why it matters

The PJ&A data breach underscores the growing threat of cyberattacks in the healthcare sector. This concern prompted New York Governor Kathy Hochul to propose new cybersecurity regulations. This breach, which compromised nearly nine million people's personal and health information, highlights the vulnerabilities and potential consequences of inadequate cybersecurity measures in healthcare facilities. 

The exposed information demonstrates the implications for patient privacy and trust in healthcare institutions. The incident serves as a sign for regulatory changes and healthcare facilities to prioritize more effective response plans for these incidents. Governor Hochul's proposal addresses these challenges, setting a precedent for heightened cybersecurity standards to protect patient data and the integrity of healthcare services.

Read more: New York proposes new security regulations for hospitals

What’s next

Individuals affected by the breach are likely to continue monitoring their personal information for signs of identity theft or fraud, as advised by authorities. PJ&A is expected to work closely with cybersecurity experts to strengthen their systems against future breaches, adhering to the corrective measures they've already begun implementing. On a broader scale, this incident will likely fuel discussions and actions around enhancing data protection protocols in the healthcare sector, especially concerning third-party service providers handling sensitive health data.

See also: HHS settles with St. Joseph’s Medical Center over PHI disclosure