A non-profit newsroom, powered by WNYC.

4M NYers' data and medical records were exposed in a breach. Here's how to protect against ID theft.

A woman looks at a cell phone while logging into a computer. — Oscar Wong / Getty Images

Published Nov 28, 2023

Modified Nov 29, 2023

We rely on your support to make local news available to all

Make your contribution now and help Gothamist thrive in 2025. Donate today

Gothamist is funded by sponsors and member donations

At least 4 million New Yorkers’ private information could be at risk of identity theft after a data breach at a medical transcription company that works with hospitals in New York, state Attorney General Letitia James said Tuesday.

The company, Nevada-based Perry Johnson & Associates, works with Northwell Health, which has hospitals and clinics across the five boroughs and Long Island, as well as Crouse Health in Syracuse. About 9 million patients nationwide are affected by the breach, according to the attorney general's office.

Most people whose data was affected have been notified of the breach, James said.

The lapse in security potentially revealed private patient information — including Social Security numbers and insurance and clinical information included in medical transcripts — per the consumer alert.

Perry Johnson & Associates became aware of the breach in May, James' office said. But the company said in its own advisory about the incident that it didn't begin sending out notices to patients whose information might have been compromised until Oct. 31.

Gothamist has reached out to ask the company why it took so long to begin sending out notifications. A spokesperson for James' office said the company notified state officials of the breach this month.

Perry Johnson & Associates said an “unauthorized party” accessed its network between March 27 and May 2 and obtained copies of files in the system.

“We value individuals’ privacy and deeply regret any concern that this incident might cause,” the company said in its advisory. “To help prevent something like this from happening again, PJ&A continues to review its safeguards and has implemented additional technical security measures to further protect and monitor its systems.”

It said the exposed data included patients' birthdates, medical record numbers, hospital account numbers, diagnoses and dates of service.

In some cases, the data also included Social Security numbers, insurance information and information from medical transcription files, such as laboratory and diagnostic testing results, medications and healthcare providers' names, the company said.

The information didn't include credit card information, bank account information or usernames and passwords, according to the advisory.

What to do if your data was compromised

Attorney General James advised anyone who might be affected by the breach to:

Monitor their credit cards and credit reports with a credit monitoring service.
Review any medical bills and contest any unrecognized charges.
Notify their insurance company about any suspected fraud.
In the event of Medicare fraud, notify the U.S. Department of Health and Human Services Office of Inspector General online or at 800-447-8477.
Obtain a copy of their medical records.
Consider putting a freeze on their credit reports with Equifax, Experian and TransUnion to prevent anyone from opening credit cards in their name.

Health care data breaches have been on the rise across the U.S. in recent years, according to the HHS. In some cases, these incidents have disrupted hospital operations, in addition to putting patient information at risk.

Earlier this month, New York Gov. Kathy Hochul announced a set of proposed rules for hospitals to beef up their cybersecurity. She included $500 million in the last state budget for hospital technology upgrades, including new cybersecurity tools.

This story has been updated to include a further statement from Attorney General Letitia James' office.