December 2, 2023

A cyberattack on a medical transcription firm compromised extremely delicate well being knowledge belonging to almost 4 million sufferers at Northwell Well being, New York State’s largest healthcare supplier and personal employer.

The breach additionally impacted a healthcare system in Illinois, Cook dinner County Well being, which disclosed that 1.2 million of its sufferers have been affected. About 4 million further sufferers from undisclosed areas have been additionally impacted.

The assault is among the worst medical knowledge breaches in recent times, in accordance with a U.S. Division of Well being and Human Providers knowledge breach checklist.

The Nevada-based transcription firm, Perry Johnson & Associates (PJ&A), disclosed the breach earlier this month in a legally required submitting, revealing that the breach started as early as March and that it didn’t start to inform affected sufferers till the top of September.

In accordance with a PJ&A discover, the stolen knowledge not solely included primary data like affected person names, addresses and dates of start, but in addition admission diagnoses, some Social Safety numbers, laboratory and diagnostic testing outcomes and drugs.

A Northwell spokesperson stated 3.89 million sufferers have been affected and shared an announcement confirming it had been knowledgeable of the breach by PJ&A.

“Whereas none of Northwell’s methods have been impacted by this cyberattack on PJ&A, Northwell has been knowledgeable by PJ&A that information referring to Northwell’s sufferers have been among the many recordsdata copied from PJ&A’s community,” the assertion stated.

The assertion famous that Northwell is “not conscious of any proof of subsequent misuse of the knowledge obtained from PJ&A’s community,” however is providing all impacted sufferers with a free identification theft service.

An unauthorized person gained entry to the PJ&A community between March 27 and Could 2, the corporate reported.

The PJ&A discover stated the corporate has employed a cybersecurity vendor to “help with the investigation, include the menace, and additional safe our methods.”

It famous that the incident didn’t enable the hacker to entry methods or networks belonging to its prospects and stated there isn’t a proof thus far of sufferers’ data getting used for identification theft or fraud.

A category motion lawsuit was filed towards Northwell Well being and PJ&A earlier this month.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Study extra.

No earlier article

No new articles

Suzanne Smalley is a reporter protecting privateness, disinformation and cybersecurity coverage for The Report. She was beforehand a cybersecurity reporter at CyberScoop and Reuters. Earlier in her profession Suzanne coated the Boston Police Division for the Boston Globe and two presidential marketing campaign cycles for Newsweek. She lives in Washington together with her husband and three youngsters.