“We retained a cybersecurity vendor to assist with the investigation, contain the threat, and further secure our systems. We also directed its vendor to review the affected files and determine their precise contents,” PJ&A said in an organizational statement.
Mercy Health did not provide further comment beyond PJ&A’s statement.
The hacking of PJ&A’s network server affects more than 8.9 million people, according to the U.S. Department of Health and Human Services.
The files the hacker accessed included personal health information, such as date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. The information accessed did not include credit card information, bank account information, or usernames or passwords.
For some individuals, the impacted data may have also included Social Security numbers, insurance information, and clinical information from medical transcription files. The clinical information could include laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.
“While we have no evidence that individuals’ information has been misused for the purpose of committing fraud or identity theft, individuals whose information may have been involved are encouraged to review the notification they receive, including guidance on what they can do to protect themselves, should they feel it is appropriate to do so,” PJ&A said.
PJ&A established a call center for affected individuals with questions about the incident at (833) 200-3558.
Mercy Health’s parent company, Bon Secours Mercy Health, is the fifth largest Catholic hospital system in the U.S., with 47 hospitals, 3,000 physicians and 60,000 associates across seven states and Ireland.
The PJ&A data breach follows a number of other data breaches, including with the communications software company Welltok and Premier Health patients. Welltok notified patients with Premier Health that a network server had been hacked on May 30.
Multiple health care organizations have been impacted by the both the Welltok and PJ&A data breaches with more than 8.4 million people affected, according to the U.S. Department of Health and Human Services.
Welltok’s data breach was due to cybersecurity vulnerability with Welltok’s MOVEit Transfer server. MOVEit provides cloud services, like data storage.
CareSource clients were also impacted by a data breach involving MOVEit that took place on May 31. That data breach led to multiple class action lawsuits, many of which have been transferred to the District of Massachusetts where multiple companies like CareSource are listed as defendants in litigation involving the MOVEit data breach.