New Hyde Park, NY-based Northwell Health, the largest health system in New York, has joined the list of Perry Johnson & Associates (PJ&A) clients affected by the recent data breach. The breach, which PJ&A discovered occurred between April 7 and April 19, 2023, was reported to Northwell Health on July 21, 2023.
PJ&A concluded its initial investigation on September 28, 2023, revealing the extent of the breach. News12 Long Island reported that Northwell Health initially estimated 3,891,565 individuals were affected, but later retracted the statement, citing uncertainty in confirming the exact number impacted.
According to Northwell Health, the breach compromised names, addresses, dates of birth, and medical information, including diagnoses, test results, and physician details. Some patients also had their Social Security numbers exposed. The incident was isolated to PJ&A, and Northwell Health’s internal systems remained unaffected. Affected individuals are offered complimentary credit monitoring, though there is no evidence of patient data misuse.
This marks Northwell Health’s second major vendor data breach in 2023. The earlier incident involved vendor Nuance Communications, where the Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023. Nuance Communications reported the breach to the HHS, affecting 1,225,054 individuals.
Northwell Health is the second PJ&A client to confirm the cyberattack impact. Cook County Health in Chicago, another PJ&A client, reported 1.2 million patients’ PHI exposure in a recent statement. Cook County Health terminated its relationship with PJ&A upon learning of the breach and faced challenges in determining the exact number of affected individuals, receiving the final list on October 9, 2023.
The combined impact of the two confirmed breaches suggests nearly 5 million patients may have had their protected health information exposed or stolen. The true scale of the breach remains uncertain as more affected clients may emerge in the coming days. As of now, the HHS’ Office for Civil Rights website lacks a breach notice from PJ&A, but the breach is listed on the California Attorney General’s website, where the specific number of affected individuals has yet to be disclosed.
