Sensitive personal data belonging to at least 4 million New Yorkers in New York City and Syracuse was compromised in a data breach at Nevada-based Perry Johnson & Associates (PJ&A), a provider of medical transcription services.
PJ&A's systems were first breached in May 2023, although the breach was only recently made public. Hackers gained access to personal information including Social Security numbers, names, addresses, dates of birth, hospital account numbers, medical record numbers, admission diagnoses, dates and times of service, and insurance details in addition to medical and clinical data.
Attorney General of New York Letitia James warned residents this week to take safety measures against identity theft and fraud if they have received a notification from PJ&A regarding a data breach. Northwell Health, the biggest healthcare provider in New York, and Crouse Health, located in Syracuse, are among the affected healthcare providers.
There is a risk of confusion when a data breach occurs at a business associate and the business associate publishes notifications. Individuals who receive notification letters are unlikely to be aware that the business associate has access to their data, and they may even dismiss the letter as a scam and take no action. Several people took to Reddit to seek answers after receiving notification letters from PJ&A, as they were unsure whether the letters were legit.
Attorney General James issued an alert to notify those in New York that their data could be misused. “I urge all New Yorkers affected by this data breach to stay alert and take these important steps to protect themselves,” stated Attorney General James. “Bad actors can use the stolen information to impersonate individuals or cause financial harm. Identity theft is a serious issue, and my office will continue to take action to keep New Yorkers safe.” The same warning applies to all Americans who receive a notification letter.
The recommended courses of action include getting copies of medical records from pharmacies, health insurers, and healthcare providers and examining them for anything that seems off, as it may indicate medical identity theft; using credit monitoring services to track credit reports and generate alerts when a change is made to a credit file; putting a credit freeze on credit reports to guarantee that new credit accounts cannot be opened; and placing fraud alerts on credit reports to inform lenders and creditors to take additional steps to verify an identity before issuing credit.