Huge healthcare data breach leaks full names, SSNs and more of 9 million patients — what to do now

An open lock depicting a data breach
(Image credit: Shutterstock)

Even if you’re extremely careful and use strong, complex passwords for each of your accounts, your personal information can still be exposed online as the result of a data breach

As reported by BleepingComputer, the medical transcription company Perry Johnson & Associates (PJ&A) has disclosed that it fell victim to a cyberattack back in March of this year. This led to the personal info of almost 9 million patients ending up in the hands of hackers.

According to PJ&A, hackers managed to breach the company’s network at the end of March and had access to its systems until the beginning of May. During this time, the hackers responsible were able to obtain the full names, dates of birth, medical record numbers, hospital account numbers, Social Security numbers (SSNs), insurance information, medical transcription files and more from approximately 9,952,212 patients.

With all of this information, the hackers behind this cyberattack could easily commit fraud or blackmail, though they could also try and steal your identity. While details regarding which healthcare providers and their customers are affected are still somewhat scarce, we’ll update this story as we learn more.

Data breach notices are being sent out now

Since PJ&A is a medical transcription company, the data exposed for each person will be different depending on what information they provided to their healthcare provider and the type of treatment they received.

Fortunately, no financial information or account credentials were accessed by the hackers behind this cyberattack. Still, having your SSN and other sensitive data exposed just by going to the doctor isn’t the kind of thing people who are sick or dealing with long-term health problems want to hear.

At the moment, two healthcare providers that we know of have begun sending out data breach notifications to affected patients. They include Chicago’s largest healthcare provider, Cook County Health (CCH) which notified 1.2 million patients that their medical records were exposed, as well as New York’s largest healthcare provider, Northwell Health, which announced in a press release that it suffered an indirect data breach as a result of the incident. 

As such, there are another four million people whose medical data was exposed in the cyberattack on PJ&A who haven’t been notified yet. If your personal info was obtained by hackers though, you’ll likely receive either an email or a letter in the mail letting you know.

What to do if your personal info is exposed in a data breach

Hacker using a stolen social security card

(Image credit: Blazej Lyjak/Shutterstock)

If your personal information was exposed online as a result of the cyberattack against PJ&A, you’ll likely be hearing from your healthcare provider very soon. For this reason, you’re going to want to diligently check your mailbox and inbox for a data breach notice.

A lot of times, when something like this happens, companies will provide you with free access to one of the best identity theft protection services for a year. Since these services are normally quite expensive, this is an offer you want to take them up on, especially as they can help you recover from fraud and get your identity back if it’s stolen.

Besides signing up for any offers from your healthcare provider, you also want to keep a close eye on your bank statements for any signs of fraud. This means looking for large transactions you don’t remember making as well as seeing if your name has been used to take out a loan or to sign up for a credit card.

We’ll likely hear more from individual healthcare providers and from PJ&A themselves, so check back as we will update this story as we find out more.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.