North Kansas City Hospital Impacted By PJ&A Data Breach

The PJ&A data breach was one of the largest healthcare data breaches reported to HHS last year, and notifications continue to roll in.

Missouri-based North Kansas City Hospital (NKCH) and its transcription subsidiary, Meritas Health Corporation, recently notified more than 500,000 individuals of a third-party data breach stemming from Perry Johnson & Associates (PJ&A), a medical transcription service.

As previously reported, PJ&A suffered a data breach in May 2023 that impacted nearly 9 million individuals. An unauthorized party gained access to PJ&A’s systems, impacting data including insurance and clinical information from medical transcription files and some Social Security numbers.

Northwell Health, New York’s largest healthcare provider, was one of the organizations impacted by the breach, prompting the New York Attorney General’s Office to issue a consumer alert about the potential impacts of the breach.

At NKCH, the information involved in the incident included patients’ demographic information, such as names, dates of birth, phone numbers, and addresses, as well as health insurance information and clinical information. NKCH also identified impacted information belonging to the Clay County Public Health Center. (CCPHC).

“NKCH and CCPHC take the confidentiality, privacy, and security of information in its care seriously. Upon learning of the incident from PJ&A, NKCH took steps to implement additional safeguards and review our policies and procedures relating to data privacy and security, and we promptly discontinued sharing any information with PJ&A,” the notice to patients stated.

“PJ&A no longer provides services to NKCH or Meritas. There was no impact to the security of NKCH’s, Meritas’, and CCPHC’s own systems.”

Electrostim Medical Services Breach Impacts 542K

Electrostim Medical Services (EMSI), a medical device company specializing in home electrical stimulation devices, notified 542,000 individuals of a data breach it discovered in May 2023.

After identifying suspicious activity, EMSI determined that an unauthorized actor had accessed certain parts of its network between April 27 and May 13. EMSI said it immediately engaged law enforcement and would take additional steps to safeguard data.

The scope of information impacted by the breach included names, phone numbers, email addresses, diagnoses, insurance information, and products prescribed and billed. EMSI found no evidence that the impacted information was misused but encouraged impacted individuals to remain vigilant.

Meridian Behavioral Healthcare Reports Breach

Meridian Behavioral Healthcare, a non-profit that offers mental illness and substance use disorder treatment programs in North Central Florida, recently informed 98,808 individuals of a data breach that occurred in August 2023.

An unauthorized actor accessed Meridian’s computer systems, prompting Meridian to immediately secure its network, engage a third-party firm, and reset passwords. By December, Meridian determined that patient information may have been accessed during the breach.

The information impacted may have included patient names Social Security numbers, addresses, medical diagnosis and treatment information, health insurance information, and prescription information.

Impacted individuals were offered complimentary credit monitoring services. In addition, Meridian assured patients that it had taken additional steps to secure its network and review its policies surrounding data security and privacy.

Next Steps

Dig Deeper on Healthcare data breaches