Perry Johnson & Associates (PJ&A) Data Breach Lawsuit
Healthcare Data Breach · MDL Consolidated

Perry Johnson & Associates (PJ&A) Data Breach Class Action Lawsuit

Published July 14, 2026

If a hospital like Northwell Health or Cook County Health sent you a data-breach letter in late 2023, a vendor you had never heard of — PJ&A — was likely the source. Here is what the litigation covers, and why there is nothing to claim yet.

A medical data-breach illustration, representing the Perry Johnson & Associates (PJ&A) medical-transcription data breach litigation, MDL 3096
A 2023 breach at medical-transcription vendor Perry Johnson & Associates exposed patient data across many hospital clients. The consolidated litigation is MDL No. 3096 in the Eastern District of New York.
Allegations Only · No Settlement Yet

This article describes consolidated class action complaints. The statements below are unproven allegations. Perry Johnson & Associates and the other defendants have not been found liable, there is no certified class, and there is nothing to claim at this time. This page is informational and is not legal advice.

What Is This About?

Perry Johnson & Associates, Inc. (PJ&A) — a medical-transcription vendor based in Henderson, Nevada — is the defendant in consolidated federal litigation over a 2023 data breach. The cases are gathered as In re: Perry Johnson & Associates Medical Transcription Data Security Breach Litigation, MDL No. 3096, before Judge Rachel P. Kovner in the U.S. District Court for the Eastern District of New York. Northwell Health and several of its officers are also named as defendants.

PJ&A transcribed dictated notes and reports for many hospitals and physician groups. (It is a distinct company from the similarly named "Perry Johnson" registrar and certification businesses — don't confuse them.) Plaintiffs allege PJ&A failed to protect the patient information it held and was slow to notify the people affected. The defendants have not been found liable, and the allegations remain unproven.

Status MDL Consolidated — In Litigation MDL 3096 · E.D.N.Y. · Judge Rachel P. Kovner · consolidated Jan. 30, 2024
People Affected ~8.95M confirmed · ~13–14M aggregate 8,952,212 in PJ&A's own HHS filing; higher figure adds separate hospital-client reports · spring-2023 breach
Can I Claim? No — nothing to claim yet No settlement, no fund, no claim form at this stage

How the Breach Happened

According to PJ&A's disclosures and reporting on the incident, an unauthorized party accessed PJ&A's network for roughly a week in the spring of 2023, with data copied over a few days in early April. PJ&A has said it discovered the activity on May 2, 2023, and later determined which individuals were affected. Notification letters began going out on October 31, 2023 — a gap of about six months that plaintiffs put at the center of their complaints.

The exposed data varied by individual and by hospital client, but generally included names, dates of birth, addresses, medical record numbers, hospital account numbers, dates of service, and treatment or diagnosis information. For some individuals it also included Social Security numbers, insurance or subscriber information, and clinical details drawn from transcription files. Because the information sits at the intersection of identity and health data, plaintiffs allege the exposure carries a heightened, long-term risk.

How Many People, and Which Hospitals

The single company-confirmed figure is the one PJ&A itself reported to the U.S. Department of Health and Human Services: 8,952,212 individuals, or about 8.95 million. Because several of PJ&A's hospital clients filed their own separate breach reports on top of PJ&A's, cybersecurity trade-press tallies put the total across all client notifications at roughly 13 to 14 million people. Read the higher number as an aggregate across many reports, not as a single confirmed count.

Named affected clients include Northwell Health (about 3.89 million people, the largest single client), Cook County Health (about 1.2 million), Crouse Health, Salem Regional, Bon Secours Mercy Health, and Concentra, among others. Many patients never had a direct relationship with PJ&A and so received a notice under their hospital or provider's name — which is why so many people did not recognize the vendor at the center of the breach.

What the Lawsuits Allege

The consolidated complaints allege that PJ&A (and, for its patients, Northwell) failed to implement reasonable, industry-standard data-security measures to protect the sensitive patient information it held, and that it failed to notify affected individuals promptly. The plaintiffs bring the negligence, breach-of-implied-contract, invasion-of-privacy, and related claims typical of healthcare data-breach litigation, and seek to represent the affected patients.

As with any complaint, these are allegations only. The defendants have not been found liable, no class has been certified, and they dispute the claims. Because a data-breach class is a fixed list of people who received notices, any settlement that eventually emerges would very likely require a claimant to enter a notice ID or similar identifier — but that is a question for a future settlement, not something that exists today.

Is There a PJ&A Settlement Yet?

No. This is litigation, not a settlement.

There is no settlement fund, no claim form, no payout, and no deadline to act. The MDL is still in its pretrial stage before Judge Kovner. The consolidation of complaints is the start of a case, not the end. If the cases are resolved through a settlement, or a class is certified, a formal claims process with its own eligibility rules and deadlines would be announced separately, and OpenClassActions.com would cover it. Be skeptical of any site presenting a "PJ&A settlement claim form" today — no court-approved settlement exists.

Who Is Affected and What You Can Do

The affected population is patients whose healthcare providers used PJ&A for transcription and whose records were in PJ&A's systems during the spring-2023 intrusion. In practice, that means people who received a breach-notification letter beginning in late October 2023 (and into 2024 as more clients notified), often under the name of a hospital such as Northwell or Cook County Health.

• Keep any breach-notification letter you received — it identifies which of your data was involved and may be needed if a claims process later opens.
• Consider a free credit freeze and fraud alerts, and monitor your financial and insurance statements.
• Be alert to medical-identity theft, such as unfamiliar providers or claims on your insurance Explanation of Benefits.
• There is nothing to file right now; watch for news of a certified class or settlement.

For breach settlements that are open and claimable now, see OCA's data breach settlements tracker.

Frequently Asked Questions

Is there a PJ&A data breach settlement yet?

No. MDL 3096 is in active pretrial litigation in the Eastern District of New York. There is no fund, no claim form, and no deadline. The defendants have not been found liable.

How many people were affected?

About 8.95 million in PJ&A's own HHS filing; roughly 13 to 14 million once separate hospital-client reports are added. The lower number is the single company-confirmed figure.

Do I need to file a claim?

No. Because this is a lawsuit and not a settlement, there is nothing to claim and no deadline. Keep any breach notice you received. If a class is certified or a settlement is reached, a claims process and deadlines would be announced separately.

Sources

• Justia Dockets — In re Perry Johnson & Associates Medical Transcription Data Security Breach Litigation, MDL No. 3096: JPML Docket (MDL 3096)
• U.S. District Court, E.D.N.Y. — member docket for the consolidated MDL (No. 1:24-md-03096), via GovInfo: E.D.N.Y. Court Record
• U.S. Department of Health & Human Services — Office for Civil Rights breach portal (search "Perry Johnson"): HHS OCR Breach Portal
• TechCrunch — reporting on the scale of the PJ&A breach (Nov. 15, 2023): TechCrunch Coverage


For more class actions keep scrolling below.
Status MDL Consolidated — In Litigation (no settlement)
Case In re Perry Johnson & Associates Medical Transcription Data Security Breach Litigation
MDL Number MDL No. 3096 · No. 1:24-md-03096
Court U.S. District Court, E.D.N.Y. · Judge Rachel P. Kovner
Consolidated January 30, 2024

Related Data Breach Cases & Settlements