PJ&A Transcription Releases Update; 13.3 Million Exposures from 2023 Breaches
Table of Contents
- By Steven
- Published: Feb 14, 2024
- Last Updated: Feb 16, 2024
Perry Johnson & Associates (PJ&A) is a medical transcription organization based in Nevada. Since the public learned about PJ&A’s breach, we have featured it whenever large healthcare networks have announced data breaches stemming from their incident and when officials present updates. This week, more information is public about the incident, through the Maine Attorney General’s Office. Initial reporting put the PJ&A breach at 1.2 million impacted out of Chicago’s Cook County since the breach has impacted healthcare networks across the nation—putting the impact figure closer to 13.3 million.
How Did the Attack Occur?
PJ&A is a transcription service; according to the consumer notice published with the breach filing, one of these partners was Concentra Health Services. PJ&A provided services to Concentra, and they provided services to health entities and networks. The personal information of Concentra patients and associates may be among the impacted data in this breach. There is no new information about the details of the breach itself; an unauthorized actor accessed their systems, and officials eventually found it, removed the threat, and began notifying impacted partners.
What Information Was Viewed or Stolen?
The Concentra sample notice does not list impacted data elements; however, the PJ&A statement published in November 2023 offers clues. Impacted data may differ between individuals but may include names, birthdays, Social Security Numbers, residential addresses, medical record numbers, hospital account numbers, times of service, admission diagnoses, clinical information (like laboratory testing, diagnostics, or medications), treatment facilities, healthcare provider names, and insurance information. The Concentra data elements may include one or more of the types above; however, individual notices will list specific details.
How Did Perry Johnson & Associates Admit to the Breach?
The consumer’s notice also offers new information in the event timeline, but it only regards Concentra. The investigation suggests the threat actors accessed PJ&A’s systems around March 27th; they remained in the system until around May 2nd, when officials responded to the threat. The assailants may have accessed Concentra’s data from April 7th to 19th, 2023. At the end of May, preliminary investigations concluded there was an attack; officials have sent consumer notices in waves, beginning in early November and most recently around February 8th.
What Will Become of the Stolen Information?
The biggest fear with massive breaches is that they’ll impact vulnerable people; over 13 million people, many of whom are patients, may see their data misused in the future due to this event. They could see it misused tomorrow or a decade from now; there’s no way to tell when criminals may manipulate it. Additionally, no one knows how the criminals may profit from the attack. They could sell the data in bulk online, extort individual victims, or use the data in fraudulent schemes. This breach mainly concerns victims’ identity and medical information. Victims must start protecting their information as soon as possible.
What Should Affected Parties Do in the Aftermath of the Breach?
Victims must take steps to secure their data, although there’s no return to confidentiality. Ensure that all accounts should use unique passwords and credentials, ideally created by a password generator; these accounts must have the highest amount of security possible, like one-time token authentications. Patients must contact their providers and request an Explanation of Benefits and itemized billings—if they discover discrepancies, they must alert professionals. Account monitoring services can help victims discover and respond to threats, returning victims to normalcy faster.
