Healthcare , HIPAA/HITECH , Industry Specific

DOJ Investigating Medical Transcribers' Mega Hack: Report

Perry Johnson & Associates' 2023 Data Theft Breach Affected About 14 Million
DOJ Investigating Medical Transcribers' Mega Hack: Report
Image: Perry Johnson & Associates

The 2023 hack at medical transcription firm Perry Johnson & Associates, which affected dozens of clients and about 14 million individuals, triggered the largest health data breach reported to regulators last year. Now the data theft incident appears to be under federal criminal investigation.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

A federal grand jury looking into the incident reportedly sent a subpoena last November to Cook County Health in Illinois, according to reporting Wednesday by local news site WBEZ Chicago.

Cook County Health, which operates several public health centers and other medical facilities - including John H. Stroger Jr. Hospital, a 450-bed teaching hospital and level 1 trauma center, is a former PJ&A client. The hack affected 1.2 million of its patients.

Investigators asked the county public health agency to turn over "any and all information related to the data security incident" involving the Nevada-based medical transcription services firm, according to WBEZ. The news site said it obtained a copy of the subpoena last week after suing Cook County Health in April for violating the state's open records law.

WBEZ reported that, in the subpoena, acting U.S. Attorney Morris Pasqual and a prosecutor in the U.S. Justice Department's Fraud Section asked Cook County officials to provide a copy of its contract with PJ&A, records relating to "due diligence by Cook County of PJ&A," and all communications the county had with the company regarding the incident.

The Justice Department also asked the county health system's department of risk management to provide a "list of affected individuals and corresponding data that was compromised" and any documents "related to identifying the unauthorized third party which accessed PJ&A data."

Cook County Health, PJ&A and the Department of Justice did not immediately respond to Information Security Media Group's requests for comment about WBEZ's report.

ID Theft Warning

PJ&A reported the hack to the U.S. Department of Health and Human Services as affecting nearly 9 million individuals, but several of the company's other clients submitted their own separate breach reports to HHS, linked to the same PJ&A incident. In total, the PJ&A breach appears to have affected at least 14 million individuals and dozens of the firm's clients (see: How 2023 Broke Long-Running Records for Health Data Breaches).

The PJ&A hack was the subject of an advisory from New York State authorities last year that warned consumers about potential identity theft arising from the incident, which affected more than 4 million patients of at least two major healthcare groups in the Empire State, including Northwell Health and Crouse Health (see: NY AG Warns of ID Theft Risk in Medical Transcription Hack).

The medical transcriber faces dozens of proposed federal class action lawsuits stemming from the incident, and many of those cases name various affected PJ&A clients - including Cook County Health - as co-defendants (see: Fallout Mounting From Recent Major Health Data Hacks).

While law enforcement has undoubtedly launched an investigation into cybercriminals potentially behind the PJ&A attack, the federal grand jury subpoena requests to Cook County Health indicates other issues that federal prosecutors might be scrutinizing, some experts said.

"There are three criminal statutes that come to mind," said regulatory attorney Rachel Rose, who is not involved in the PJ&A case.

Those include the Stored Communications Act, which addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third parties; criminal HIPAA violations, which apply when the offense is committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm; and identity theft.

"Given the emphasis on cybersecurity and health and public sector, which is one of CISA's 16 critical infrastructure sectors, as well as the known facts and circumstances of the case, it is not surprising that the DOJ would pursue a potential criminal case," she said.

Because Cook County operates one of the largest government-owned hospitals in the country, Rose said, "there will likely be more of these types of criminal investigations, especially when 1.2 million patients' data was impacted."

PJ&A's breach notice about the hack does not indicate when the security incident was first detected, but the company said an unauthorized party gained access to its network between March 27, 2023, and May 2, 2023. During that time, the intruder acquired copies of certain files from PJ&A systems.

PJ&A determined that the compromised files contained patients' health information including name, birthdate, address, medical record number, hospital account number, admission diagnosis, and dates and times of service.

For some individuals, affected information also included Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility and the names of healthcare providers.

The files did not contain credit card information, bank account information or usernames or passwords, PJ&A said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.