PJ&A data breach exposed info of up to 3.9 million Northwell Health patients

An "unauthorized party" breached a computer network and accessed information on up to 3.89 million patients of Northwell Health, Long Island’s largest health care system, potentially acquiring data such as medical records, lab results and insurance details that could be exploited by criminals, officials said.  

In a statement, Northwell said late Thursday that Perry Johnson & Associates, a Nevada-based firm that provides medical transcription services to health care organizations across the country, including Northwell, announced that the breach of its computer network occurred in the spring of this year.
Northwell said it is not aware of any patient information being misused, but stolen health care data can by used to extract ransom from institutions and to obtain loans, medications and treatments at patients' expense. 

An unauthorized party infiltrated PJ & A's network between March 27 and May 2 and retrieved information that may have contained patients' names, Social Security numbers, dates of birth, addresses, medical record numbers, diagnoses, test results and medications, the transcription company said. Northwell's systems were spared, but Northwell patient records were among files copied from PJ & A, the health system said.

Up to 3,891,565 patients' information may have been accessed, Northwell said. The health care system has said it serves about 2 million patients annually. Northwell representatives didn't respond to questions about why the number of potentially impacted individuals was almost double that, and whether that was due to its use of Perry Johnson & Associates over a yearslong period.

PJ & A did not respond to questions from Newsday. In a statement, the company noted "a cybersecurity vendor" assisted with an investigation to "contain the threat, and further secure our systems."

“Upon completing its investigation, PJ & A began sending out data breach notification letters to all individuals whose information was affected,” the company said. 

PJ & A opened a call center where affected patients can ask questions at 833-200-3558.

Northwell is offering all affected patients free identity theft protection services. The health service did not respond when asked if it was still using PJ & A. Cook County Health, a network in Illinois, noted it ended its relationship with PJ & A after learning patient data was accessed in the breach. 

Terminating the contract may not necessarily enhance data security, according to Nick Nikiforakis, a computer science professor at Stony Brook University. 

He said Northwell was already a target, given its size. Organizations are often more susceptible to cyberattacks after one incident shows vulnerability, experts said.  

"Any time you're listed on the dark web and flagged, there's going to be additional attempts," said Brian Bratchie, owner of B&L PC Solutions, Inc., a Hauppauge firm that provides IT services. The dark web refers to a corner of the internet known to attract criminal activity.

Hospitals, medical practices and ancillary companies are frequent cyberattack targets since medical records are quite valuable, experts said. Hackers can use Social Security numbers, birth dates and addresses to commit traditional crimes associated with identity theft, such as taking out credit cards or loans, said Steve Morgan, founder of Cybersecurity Ventures, a Northport-based cybersecurity market researcher and publisher.

They may also sell data to those looking to fraudulently obtain medication,  procedures and medical devices, he said. 

"Healthcare data can be sold on the dark web for a premium. It is more valuable than credit card and other types of data," Morgan said in an email. 

The concern is deep enough that the Federal Trade Commission has published a brochure on medical identity theft, noted Nicole Osborne, an attorney at the Uniondale-based Ruskin Moscou Faltischek P.C. Anyone impacted should verify that they recognize all claims that have been filed with their insurer and paperwork from their medical providers, said Osborne, who works on cybersecurity and data privacy matters.