News12 on Long Island reports that the Perry Johnson & Associates (PJ&A) breach reported previously on this site has also affected Northwell Health, a major health system on Long Island.
PJ&A is the same medical transcription service vendor whose breach affected 1.2 million patients of Cook County Health in Illinois. That health system was notified in July by the vendor that an unauthorized individual accessed PJ&A systems where CCH patient data was stored in April 2023. On July 26, 2023, PJ&A informed CCH that personal information of CCH patients may be affected. CCH disclosed the breach on September 24. Notice sent to Northwell patients indicated a similar timeframe: unauthorized access occurred between March 27 and May 2, with access to the Northwell data occurring specifically between April 7 and April 19.
A template notification letter by PJ&A can be found on the California Attorney General’s website. That template gets notified for each client’s patients. A substitute notice also appears on PJ&A’s website. A link to the PJ&A notice appears on Northwell Health’s home page towards the bottom of the page in a section called “Notices.”
News12 reports the number of affected patients has not been confirmed by Northwell:
A draft statement from Northwell initially said 3,891,565 people were impacted. But the health care provider later recalled that statement and said they could not confirm any specific numbers.
This incident has not appeared on HHS’s public breach tool yet. PJ&A’s substitute notice indicated they have already reported this to HHS, so HHS may be starting its investigation before it posts the entry. Whether PJ&A is providing one report to HHS for all of its clients or whether some will self-report their numbers is unknown to DataBreaches, and whether the PJ&A entry will just have a marker “501” for the number affected or will display an actual number remains to be seen. Between Cook County and Northwell, there may already be 5 million patients affected, and we do not know how many other PJ&A clients are affected (see UPDATE 1 below).
Cook County terminated its relationship with PJ&A. Northwell’s website does not indicate whether they have, too.
Of note, there has been no attribution for this breach. The vendor has not made any mention of any extortion demands nor any negotiations or payments, and no ransomware gang has listed PJ&A on their leak site.
Update 1: PJ&A reported the incident to HHS as affecting 8,952,212 patients, but it is not clear whether that report was for just some of their clients or all of them. Since Cook County Hospital filed its own report with HHS in September, the PJ&A figure may not include those 1.2 million patients. In time, we may find out more about the number affected by this incident. We also do not yet know who is responsible for this incident.