DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

PJ&A data breach also affected millions of Northwell Health patients (1)

Posted on November 10, 2023 by Dissent

News12 on Long Island reports that the Perry Johnson & Associates (PJ&A) breach reported previously on this site has also affected Northwell Health, a major health system on Long Island.

PJ&A is the same medical transcription service vendor whose breach affected 1.2 million patients of Cook County Health in Illinois. That health system was notified in July by the vendor that an unauthorized individual accessed PJ&A systems where CCH patient data was stored in April 2023. On July 26, 2023, PJ&A informed CCH that personal information of CCH patients may be affected. CCH disclosed the breach on September 24. Notice sent to Northwell patients indicated a similar timeframe:  unauthorized access occurred between March 27 and May 2, with access to the Northwell data occurring specifically between April 7 and April 19.

A template notification letter by PJ&A can be found on the California Attorney General’s website. That template gets notified for each client’s patients. A substitute notice also appears on PJ&A’s website. A link to the PJ&A notice appears on Northwell Health’s home page towards the bottom of the page in a section called “Notices.”

News12 reports the number of affected patients has not been confirmed by Northwell:

A draft statement from Northwell initially said 3,891,565 people were impacted. But the health care provider later recalled that statement and said they could not confirm any specific numbers.

This incident has not appeared on HHS’s public breach tool yet. PJ&A’s substitute notice indicated they have already reported this to HHS, so HHS may be starting its investigation before it posts the entry. Whether PJ&A is providing one report to HHS for all of its clients or whether some will self-report their numbers is unknown to DataBreaches, and whether the PJ&A entry will just have a marker “501” for the number affected or will display an actual number remains to be seen. Between Cook County and Northwell, there may already be 5 million patients affected, and we do not know how many other PJ&A clients are affected (see UPDATE 1 below).

Cook County terminated its relationship with PJ&A. Northwell’s website does not indicate whether they have, too.

Of note, there has been no attribution for this breach.  The vendor has not made any mention of any extortion demands nor any negotiations or payments, and no ransomware gang has listed PJ&A on their leak site.

Update 1: PJ&A reported the incident to HHS as affecting 8,952,212 patients, but it is not clear whether that report was for just some of their clients or all of them. Since Cook County Hospital filed its own report with HHS in September, the PJ&A figure may not include those 1.2 million patients. In time, we may find out more about the number affected by this incident. We also do not yet know who is responsible for this incident.

 

Category: Health DataSubcontractorU.S.

Post navigation

← Leader of $70M Cryptocurrency and Binary Options Fraud Schemes Extradited to the U.S.
UK: Nearly £2 million of stolen cryptocurrency to be paid back to victims →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.