Another client of the medical transcription firm Perry Johnson & Associates (PJ&A) has confirmed it has also been affected by the recent PJ&A data breach. New Hyde Park, NY-based Northwell Health, the largest health system in New York, has confirmed that it was notified on July 21, 2023, by PJ&A about the cyberattack that occurred between April 7 and April 19, 2023.

On September 28, 2023, PJ&A completed its initial investigation and was able to confirm the extent of the breach. According to News12 Long Island, Northwell Health initially released a draft statement indicating 3,891,565 individuals had been affected, although the statement was later recalled and Northwell Health said it was unable to confirm exactly how many individuals had been affected.

Northwell Health said the breach involved names, addresses, dates of birth, and medical information, including diagnoses, test results, and physician and healthcare provider names. Some patients also had their Social Security numbers exposed. Northwell Health said the breach occurred at PJ&A and no Northwell Health systems were affected. Affected individuals will be offered complimentary credit monitoring services, although no evidence has been uncovered to indicate any patient data has been misused.

This is the second major vendor data breach to affect Northwell Health patients this year. Northwell Health was also affected by a hacking incident at vendor Nuance Communications. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023. Nuance Communications reported the breach to the HHS as affecting 1,225,054 individuals, although it is unclear how many, if any, Northwell Health patients are included in that total.

Northwell Health is the second PJ&A client to confirm it has been affected by the cyberattack and data breach. Last week, Cook County Health in Chicago said 1.2 million patients had their PHI exposed and that it was one of several PJ&A clients to be affected. Cook County Health said it terminated its relationship with PJ&A when it was informed about the data breach and had difficulty confirming exactly how many individuals had been affected. It did not receive the final list of affected patients until October 9, 2023.

The latest confirmation suggests almost 5 million patients may have been affected by the breach and had their protected health information exposed or stolen in the attack. That number could well rise over the coming days and weeks as further clients confirm they have been affected. At present there is no breach notice on the HHS’ Office for Civil Rights website from PJ&A, although the breach is now shown on the website of the California Attorney General. Since the California Attorney General only posts breach notification letters, which do not usually state how many individuals have been affected, the scale of the breach cannot yet be determined.

The post New York’s Largest Health System Affected by PJ&A Data Breach appeared first on HIPAA Journal.