PJ&A data breach exposed info of up to 3.9 million Northwell Health patients
An "unauthorized party" breached a computer network and accessed information on up to 3.89 million patients of Northwell Health, Long Island’s largest health care system, potentially acquiring data such as medical records, lab results and insurance details that could be exploited by criminals, officials said.
In a statement, Northwell said late Thursday that Perry Johnson & Associates, a Nevada-based firm that provides medical transcription services to health care organizations across the country, including Northwell, announced that the breach of its computer network occurred in the spring of this year.
Northwell said it is not aware of any patient information being misused, but stolen health care data can by used to extract ransom from institutions and to obtain loans, medications and treatments at patients' expense.
An unauthorized party infiltrated PJ & A's network between March 27 and May 2 and retrieved information that may have contained patients' names, Social Security numbers, dates of birth, addresses, medical record numbers, diagnoses, test results and medications, the transcription company said. Northwell's systems were spared, but Northwell patient records were among files copied from PJ & A, the health system said.
Up to 3,891,565 patients' information may have been accessed, Northwell said. The health care system has said it serves about 2 million patients annually. Northwell representatives didn't respond to questions about why the number of potentially impacted individuals was almost double that, and whether that was due to its use of Perry Johnson & Associates over a yearslong period.
PJ & A did not respond to questions from Newsday. In a statement, the company noted "a cybersecurity vendor" assisted with an investigation to "contain the threat, and further secure our systems."
“Upon completing its investigation, PJ & A began sending out data breach notification letters to all individuals whose information was affected,” the company said.
PJ & A opened a call center where affected patients can ask questions at 833-200-3558.
Northwell is offering all affected patients free identity theft protection services. The health service did not respond when asked if it was still using PJ & A. Cook County Health, a network in Illinois, noted it ended its relationship with PJ & A after learning patient data was accessed in the breach.
Terminating the contract may not necessarily enhance data security, according to Nick Nikiforakis, a computer science professor at Stony Brook University.
He said Northwell was already a target, given its size. Organizations are often more susceptible to cyberattacks after one incident shows vulnerability, experts said.
"Any time you're listed on the dark web and flagged, there's going to be additional attempts," said Brian Bratchie, owner of B&L PC Solutions, Inc., a Hauppauge firm that provides IT services. The dark web refers to a corner of the internet known to attract criminal activity.
Hospitals, medical practices and ancillary companies are frequent cyberattack targets since medical records are quite valuable, experts said. Hackers can use Social Security numbers, birth dates and addresses to commit traditional crimes associated with identity theft, such as taking out credit cards or loans, said Steve Morgan, founder of Cybersecurity Ventures, a Northport-based cybersecurity market researcher and publisher.
They may also sell data to those looking to fraudulently obtain medication, procedures and medical devices, he said.
"Healthcare data can be sold on the dark web for a premium. It is more valuable than credit card and other types of data," Morgan said in an email.
The concern is deep enough that the Federal Trade Commission has published a brochure on medical identity theft, noted Nicole Osborne, an attorney at the Uniondale-based Ruskin Moscou Faltischek P.C. Anyone impacted should verify that they recognize all claims that have been filed with their insurer and paperwork from their medical providers, said Osborne, who works on cybersecurity and data privacy matters.
Medical identity fraud tips from the FTC:
- Get your records from your insurance company, medical providers, labs and pharmacy. If that's challenging, ask a patient representative or ombudsman for help.
- Look for identity errors like appointments you didn't attend or services you didn't get.
- Send written notices to any institution with faulty records to whoever has the faulty record explaining what's incorrect. Health care providers must respond to your request within 30 days.
- Get a credit report at annualcreditreport.com and look for suspicious medical bills or debt collection notices
- Report any errors to the big three credit bureaus.
- Visit IdentityTheft.gov for advice on securing bank accounts, your Social Security number and crafting a recovery plan.
Judge delays Trump's immunity ruling ... Crackdown on 'ghost plates' ... Tots get a 'jump' on life ... Get the latest news and more great videos at NewsdayTV
Judge delays Trump's immunity ruling ... Crackdown on 'ghost plates' ... Tots get a 'jump' on life ... Get the latest news and more great videos at NewsdayTV