NY AG Issues Consumer Alert Regarding PJ&A Healthcare Data Breach

November 30, 2023 - New York Attorney General Letitia James issued a consumer alert to warn New Yorkers about the potential impacts of a data breach that occurred at Perry Johnson & Associates (PJ&A), a medical transcription company.

As previously reported, PJ&A discovered a data breach in early May that impacted nearly 9 million individuals, making it one of the largest breaches reported to HHS in 2023 so far. Northwell Health, New York’s largest healthcare provider, was one of the organizations impacted by the breach. Crouse Health in Syracuse, New York was also impacted by the breach. In total, 4 million of the 9 million individuals impacted were New Yorkers.

PJ&A’s investigation determined that an unauthorized party had maintained access to its systems between March 27 and May 2. The data impacted included insurance and clinical information from medical transcription files and some Social Security numbers.

“I urge all New Yorkers affected by this data breach to stay alert and take these important steps to protect themselves,” James stated.

“Bad actors can use the stolen information to impersonate individuals or cause financial harm. Identity theft is a serious issue, and my office will continue to take action to keep New Yorkers safe.” 

Specifically, James’ office recommended that impacted individuals monitor their credit, consider placing a free credit freeze on their credit report, and place a fraud alert on their credit report. Additionally, James urged impacted New Yorkers to contest any unrecognized medical billing.

The consumer alert is the latest addition to James’ series of actions aimed at protecting health data. In October, James announced a $350,000 settlement with Personal Touch Holding Corporation, a Long Island-based home healthcare company that suffered a ransomware attack in 2021. The settlement resolved allegations of data security failures that resulted in the attack and violated state law and HIPAA in the process.

Also in October, a multistate coalition that included James secured $49.5 million from cloud company Blackbaud over a massive 2020 data breach. These settlements exemplified a renewed focus on health data privacy at the state level, as legislators work to pass regulations at the federal level.