DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

PJ&A data breach also affected millions of Northwell Health patients (1)

Posted on November 10, 2023 by Dissent

News12 on Long Island reports that the Perry Johnson & Associates (PJ&A) breach reported previously on this site has also affected Northwell Health, a major health system on Long Island.

PJ&A is the same medical transcription service vendor whose breach affected 1.2 million patients of Cook County Health in Illinois. That health system was notified in July by the vendor that an unauthorized individual accessed PJ&A systems where CCH patient data was stored in April 2023. On July 26, 2023, PJ&A informed CCH that personal information of CCH patients may be affected. CCH disclosed the breach on September 24. Notice sent to Northwell patients indicated a similar timeframe:  unauthorized access occurred between March 27 and May 2, with access to the Northwell data occurring specifically between April 7 and April 19.

A template notification letter by PJ&A can be found on the California Attorney General’s website. That template gets notified for each client’s patients. A substitute notice also appears on PJ&A’s website. A link to the PJ&A notice appears on Northwell Health’s home page towards the bottom of the page in a section called “Notices.”

News12 reports the number of affected patients has not been confirmed by Northwell:

A draft statement from Northwell initially said 3,891,565 people were impacted. But the health care provider later recalled that statement and said they could not confirm any specific numbers.

This incident has not appeared on HHS’s public breach tool yet. PJ&A’s substitute notice indicated they have already reported this to HHS, so HHS may be starting its investigation before it posts the entry. Whether PJ&A is providing one report to HHS for all of its clients or whether some will self-report their numbers is unknown to DataBreaches, and whether the PJ&A entry will just have a marker “501” for the number affected or will display an actual number remains to be seen. Between Cook County and Northwell, there may already be 5 million patients affected, and we do not know how many other PJ&A clients are affected (see UPDATE 1 below).

Cook County terminated its relationship with PJ&A. Northwell’s website does not indicate whether they have, too.

Of note, there has been no attribution for this breach.  The vendor has not made any mention of any extortion demands nor any negotiations or payments, and no ransomware gang has listed PJ&A on their leak site.

Update 1: PJ&A reported the incident to HHS as affecting 8,952,212 patients, but it is not clear whether that report was for just some of their clients or all of them. Since Cook County Hospital filed its own report with HHS in September, the PJ&A figure may not include those 1.2 million patients. In time, we may find out more about the number affected by this incident. We also do not yet know who is responsible for this incident.

 

Category: Health DataSubcontractorU.S.

Post navigation

← Leader of $70M Cryptocurrency and Binary Options Fraud Schemes Extradited to the U.S.
UK: Nearly £2 million of stolen cryptocurrency to be paid back to victims →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ShinyHunters and team members arrested in France (1)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach
  • Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts
  • MNGI Digestive Health settles class action lawsuit stemming from BlackCat attack
  • Four REvil ransomware members released after time served on carding charges
  • Why Dumping Sensitive Data on Network Shares is a Liability

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.