New York’s Largest Health System Affected by PJ&A Data Breach
Another client of the medical transcription firm Perry Johnson & Associates (PJ&A) has confirmed it has also been affected by the recent PJ&A data breach. New Hyde Park, NY-based Northwell Health, the largest healthcare provider in New York state, has confirmed that it was notified on July 21, 2023, by PJ&A about the cyberattack that occurred between March 27, 2023, and May 2, 2023.
On September 28, 2023, PJ&A completed its initial investigation and was able to confirm the extent of the breach. According to News12 Long Island, Northwell Health initially released a draft statement indicating 3,891,565 individuals had been affected, although the statement was later recalled and Northwell Health said it was unable to confirm exactly how many individuals had been affected.
Northwell Health said the breach involved names, addresses, dates of birth, and medical information, including diagnoses, test results, and physician and healthcare provider names. Some patients also had their Social Security numbers exposed. Northwell Health said the breach occurred at PJ&A and no Northwell Health systems were affected. Affected individuals will be offered complimentary credit monitoring services, although no evidence has been uncovered to indicate any patient data has been misused.
This is the second major vendor data breach to affect Northwell Health patients this year. Northwell Health was also affected by a hacking incident at vendor Nuance Communications. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023. Nuance Communications reported the breach to the HHS as affecting 1,225,054 individuals, although it is unclear how many, if any, Northwell Health patients are included in that total.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Northwell Health is the second PJ&A client to confirm it has been affected by the cyberattack and data breach. Last week, Cook County Health in Chicago said 1.2 million patients had their PHI exposed and that it was one of several PJ&A clients to be affected. Cook County Health said it terminated its relationship with PJ&A when it was informed about the data breach and had difficulty confirming exactly how many individuals had been affected. It did not receive the final list of affected patients until October 9, 2023.
Update: While the number of Northwell Health patients affected by the breach has yet to be confirmed, PJ&A has now confirmed to the HHS’ Office for Civil Rights that 8,952,212 individuals were affected, making this one of the largest healthcare data breaches ever discovered. Some HIPAA-covered entities choose to report breaches to the HHS that occurred at business associates. It is unclear at this stage if the 8,952,212 total includes all affected PJ&A customers. You can read the latest updates on the PJ&A breach here.