Last week, it was reported that both Cook County Health and one of New York’s largest health systems were affected by a data breach associated with Perry Johnson & Associates.
What happened
In July, several health systems and organizations were informed of a data breach that impacted Perry Johnson & Associates (PJ&A), which provided medical transportation services to several healthcare organizations.
PJ&A released a statement disclosing that an unauthorized individual accessed patient data. Following the discovery, PJ&A conducted an internal investigation that revealed their IT network had been accessed between March 27 and May 2.
1.2 million patients from Cook County Health were affected, but we are now learning that they are not the only organization to be impacted.
What’s new
Northwell Health, a New York-based vendor serving millions of patients in the state, has been impacted. According to a local news report, data from Northwell was accessed between April 7 and April 19 of this year. They were notified of the breach on July 21 and confirmed the incident on September 28th.
Northwell released an initial statement stating that over 3 million individuals were impacted, but the statement was removed. Northwell says they are currently unable to provide specific numbers.
They believe the unauthorized user could access patient names, addresses, birthdays, and medical records.
In an email statement to Becker’s Hospital Review, a spokesperson said, “While none of Northwell’s systems were impacted by this cyberattack on PJ&A, Northwell has been informed by PJ&A that records relating to Northwell’s patients were among the files copied from PJ&A’s network…Although Northwell is not aware of any evidence of subsequent misuse of the information obtained from PJ&A’s network, Northwell is offering all of its impacted patients complimentary identity theft protection services.
Why it matters
Unfortunately, Northwell was also impacted by a cyberattack earlier this year. The attack was conducted by ransom group Clop, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file.
The full extent or implications of the most recent data leak is difficult to determine at this time. Even though Northwell’s systems were not involved in the data breach, the event may change their security processes.
No matter who is found responsible for the breach, dealing with the impact can still be time-consuming and expensive to resolve.
As Northwell determines which patients had data exposed, individuals may be left uncertain of how the breach impacted them.
Read more: US government agencies hit in global cyberattack exploiting MOVEit vulnerabilities
The bottom line
The situation with PJ&A exemplifies that both healthcare organizations and their associates must prioritize security. Many organizations outsource certain tasks to improve efficiency and expertise, but it can be dangerous to have patient data available in various networks.
Organizations must carefully consider what companies have access to data and if those organizations can do more to maintain the security of protected health information.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
