(NewsNation) — Nearly 9 million people had their sensitive data stolen in a cyberattack on a medical transcription company, marking the second-largest data breach in years targeting health care records.

Perry Johnson & Associates, Inc., a third-party vendor for numerous health care organizations, disclosed the breach in a filing with the U.S. Department of Health and Human Services.

The company said the hackers had access to its systems from March 27 to May 2 and “acquired copies of certain files.” Those files varied for each person but may have included patients’ names, date of birth, diagnosis and for some, their Social Security number.

PJ&A began notifying affected patients Oct. 31, nearly six months after the breach was discovered and contained.

“While we have no evidence that individuals’ information has been misused for the purpose of committing fraud or identity theft, individuals whose information may have been involved are encouraged to review the notification they receive, including guidance on what they can do to protect themselves, should they feel it is appropriate to do so,” the company said in its filing with DHHS.

PJ&A provides dictation and transcription services to health care organizations and physicians.

One of the clients for PJ&A was the Cook County Health Department in Illinois, which said in a public notice on its website that 1.2 million of its patients were affected.

The breach against PJ&A was the second largest in years, according to the DHHS reporting portal that dates back to 2020. A total of 11.27 million patients were affected in a breach of HCA Healthcare earlier this year.

News of the PJ&A comes in the same week that McLaren Health Care confirmed more than 2 million patients were affected in a breach.