Concentra Confirms Almost 4 Million Patients Affected by PJ&A Data Breach
Posted By Steve Alder on Jan 31, 2024
Concentra, a Texas-based physical and occupational health provider, has confirmed it was affected by a cyberattack at its transcription service provider, PJ&A. PJ&A has already reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as affecting almost 9 million patients; however, some PJ&A clients have chosen to report the breach to OCR themselves, including Concentra.
On January 9, 2024, Concentra confirmed that the protected health information of 3,998,162 patients was compromised in the PJ&A cyberattack, bringing the total number of affected individuals up to at least 14 million. That makes it the largest healthcare data breach of 2023. That total is likely to grow further, although by how much is not currently clear as PJ&A has not publicly disclosed which clients have been affected nor the total number of records that were compromised in the attack.
The Nevada-based medical transcription company and many of the affected clients are being sued over the data breach. At least 40 lawsuits have already been filed against PJ&A alleging negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard the sensitive health data it is provided by its clients. Some of the lawsuits name the affected healthcare companies as co-defendants.
Concentra said the information compromised includes full names and one or more of the following data elements: date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. Some individuals may also have had their Social Security number compromised, as well as insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers. There is no mention of credit monitoring and identity theft protection services being made available. Concentra has advised the affected individuals to monitor their accounts closely for signs of misuse of their information and to consider placing a fraud alert on their credit files.
Business associates of HIPAA-covered entities are prime targets for hackers as they typically store large volumes of sensitive data, and it is clear from recent breach reports that hackers are targeting business associates. A breach of this scale naturally raises questions about the security measures that were implemented at PJ&A and how it was possible for hackers to gain access to so much data. Given the high risk of cyberattacks, network segmentation should have been implemented to ensure that if its defenses were breached, hackers would only be able to gain access to limited data.
January 5, 2024: PJ&A Data Breach Total Grows as Kansas City Hospital Confirms 502K-Record Breach
North Kansas City Hospital and its subsidiary Meritas Health Corporation have recently announced that they were affected by the massive data breach at Perry, Johnson, and Associates (PJ&A).
PJ&A, a provider of medical transcription services, discovered the cyberattack on July 21, 2023, and in November, reported the breach to the HHS’ Office for Civil Rights as affecting 8,952,212 individuals; however, some of its affected clients have chosen to report the breach themselves, including North Kansas City Hospital. The Missouri hospital said the protected health information of 502,438 individuals was compromised between March 27, 2023, and May 2, 2023, when hackers had access to PJ&A’s systems. At least 9,454,650 individuals are now known to have had their data compromised in the PJ&A data breach.
North Kansas City Hospital and Meritas worked with PJ&A to determine which individuals had been affected and the types of data involved, and that process was completed on November 7, 2023. During the analysis, North Kansas City Hospital also identified data belonging to the Clay County Public Health Center. The types of data involved were limited to demographic information such as name, date of birth, gender, phone number and address; health insurance information; and some clinical information. No Social Security numbers were compromised.
After learning of the breach, North Kansas City Hospital and Meritas implemented additional safeguards, reviewed their policies and procedures for data privacy and security, and discontinued sharing data with PJ&A. North Kansas City Hospital and Meritas have now severed all ties with PJ&A. North Kansas City Hospital has advised all affected individuals to be vigilant against incidents of identity theft and fraud by reviewing their accounts, explanations of benefits, and credit reports for suspicious activity, and to report any suspicious activity to the affiliated institutions immediately.
December 29, 2023: Class Action Lawsuits Filed Over PJ&A Data Breach
After such a large data breach, it was inevitable that class action lawsuits would be filed by individuals who had their sensitive protected health information stolen. Many law firms have opened investigations into the PJ&A data breach and class action lawsuits have started to be filed against PJ&A and the healthcare providers that used the company for medical transcription services.
Class Action Lawsuit Filed Against Northwell Health and PJ&A
At least one class action lawsuit has been filed against PJ&A and Northwell Health, New York’s largest health system. Almost 4 million patients of Northwell Health had their protected health information compromised in the PJ&A data breach.
The lawsuit was filed on behalf of plaintiffs David Mayo and Madeleine E. Schwartz and similarly situated Northwell Health patients whose PHI was compromised in the data breach. The lawsuit alleges the defendants failed to implement reasonable and adequate security measures which left their sensitive data vulnerable to cyberattacks. The information compromised in the data breach included names, birthdates, Social Security numbers, addresses, medical record numbers, hospital account numbers, admission diagnoses, and times and dates of service. The lawsuit also takes issue with the length of time taken to issue notification letters. They were sent on November 3, 2023, more than 6 months after the data breach was detected.
The lawsuit alleges negligence, negligence per se, breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, unjust enrichment, and a violation of the New York Deceptive Trade Practices Act and seeks declaratory and other equitable relief, injunctive relief, restitution, damages, attorneys’ fees, and a jury trial.
The lawsuit – David Mayo, et al. v. Northwell Health Inc., et al. – was filed in the US District Court for the Eastern District of New York. The plaintiffs are represented by Jason P. Sultzer and Philip J. Furia of The Sultzer Law Group PC; Jeffrey K. Brown and Andrew Costello of Leeds Brown Law PC; Charles E. Schaffer and Nicholas J. Elia of Levin Sedran & Berman LLP; and Jeffrey S. Goldenberg and Todd B Naylor of Goldenberg Schneider LPA.
Lawsuit Filed Against Salem Community Hospital and PJ&A
A lawsuit was filed on December 20, 2023, by Michael Stone and Leeanne Varner against Salem Community Hospital and PJ&A over the data breach, which exposed sensitive data such as names, Social Security numbers, birth dates, medical record numbers, hospital account numbers and date(s) of service.
The lawsuit alleges the PJ&A data breach was the result of the defendants failing to follow cybersecurity best practices and not adequately training their staff, despite an increased risk of cyberattacks in the healthcare sector. The lawsuit also claims the defendants unnecessarily delayed issuing notification letters, which were not sent until November 10, 2023, which left the plaintiffs and class members at risk of identity theft and fraud, when early notification would have allowed them to take steps to secure their accounts.
The lawsuit alleges negligence, negligence per se, breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, and unjust enrichment, and seeks a jury trial, injunctive relief, damages and restitution, and attorneys’ fees.
The lawsuit – Stone et al. v. Salem Community Hospital et al – was filed in the U.S. District Court of the Northern District of Ohio. The plaintiffs are represented by Jeffrey S. Goldenberg and Todd B. Naylor of Goldenberg Schneider, LPA; Jason P. Sultzer & Philip J. Furia of The Sulzer Law Group P.C.; Jeffrey K. Brown & Andrew Costello of Leeds Brown Law, P.C; and Charles E. Schaffer & Nicholas J. Elia of Levin Sedran & Berman LLP.
November 19, 2023: PJ&A Data Breach Announced: Almost 9 Million Patients Affected
Almost 9 million patients have been affected by a cyberattack on the transcription service provider, Perry Johnson & Associates. The PJ&A data breach is the second-largest healthcare data breach this year and the 6th largest healthcare data breach ever reported.
PJ&A is a Henderson, Nevada-based provider of transcription services to organizations in the medical, legal, and government sectors and the largest privately owned provider of transcription services in the United States. PJ&A detected unauthorized activity within its IT systems on May 2, 2023, and immediate action was taken to isolate its systems and prevent further unauthorized access. Third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the attack, and whether sensitive data was exfiltrated from its systems.
The forensic investigation confirmed that there had been unauthorized access to its network for more than a month between March 27, 2023, and May 2, 2023, and during that time, there had been unauthorized access to data provided by its clients. PJ&A notified its clients about the cyberattack on July 21, 2023, and in the following days confirmed there had been unauthorized access to data; however, the investigation was ongoing and it was not possible to confirm exactly what types of information had been exposed or the number of individuals affected.
The PJ&A data breach investigation was completed on September 28, 2023, and on September 29, 2023, PJ&A started providing the results of its investigation to the affected clients. PJ&A said the information accessed by the unauthorized party varied from individual to individual and may have included name, address, date of birth, medical record number, hospital account number, admission diagnosis, date/time of service, Social Security number, insurance information, and medical and clinical information. The medical and clinical information contained in the transcription files may have included, laboratory and diagnostic testing results, medications, the name of the treatment facility, and healthcare provider name. Credit card information, bank account information, and usernames/passwords were not provided to PJ&A so were not exposed.
On November 2, 2023, the breach was reported to the HHS’ Office for Civil Rights as affecting 8,952,212 individuals. PJ&A said that after notifying the affected clients it worked with them to notify the individuals identified during its review. When data breaches occur at business associates of HIPAA-covered entities, the business associate often reports the data breach to OCR; however, depending on the terms of the business associate agreements, individual covered entities may choose to report the breach themselves. It is currently unclear whether the 8,952,212 total includes all affected individuals or if some clients are reporting the breach themselves. The total reported to OCR only includes individuals who had their protected health information exposed and will not include clients in other sectors.
PJ&A explained in its HIPAA-required breach notice that it has not detected any attempted or actual misuse of the stolen data and has already taken steps to prevent similar breaches in the future, including updating its technical security measures. PJ&A made no mention of whether credit monitoring and identity theft protection services were being offered to the affected individuals, although some affected clients have said that those services have been made available.
Clients Affected
PJ&A has not publicly disclosed how many of its clients have been affected. At this stage, the HIPAA Journal has confirmed the names of several affected clients and will update this post when further information becomes available.
Cook County Health (IL)
Cook County Health operates John H. Stroger, Jr. Hospital of Cook County and Provident Hospital of Cook County in Chicago, four pharmacies, two health services including the Cook County Department of Public Health, and 15 community health centers in Cook County, Illinois.
Individuals affected: 1.2 million
Northwell Health (NY)
Northwell Health, formerly North Shore-Long Island Jewish Health System, is the largest healthcare provider and private employer in New York State and operates 23 hospitals including its flagship North Shore University Hospital and Long Island Jewish Medical Center, as well as 700 outpatient facilities.
Individuals affected: Northwell Health Issued a draft statement saying 3,891,565 individuals had been affected, but that statement was later retracted and the final total has not yet been confirmed.
Salem Regional Medical Center (OH)
Salem Regional Medical Center in Salem, OH, has confirmed it was affected by the PJ&A data breach, which the hospital said occurred between March 2 and May 2, 2023. The breached information included names, Social Security numbers, dates of birth, addresses, phone numbers, medical records, and hospital account numbers. The hospitals said PJ&A is providing free identity theft protection.
Individuals affected: Unknown
Mercy Medical Center (IA)
Mercy Medical Center has confirmed that 97,132 patients have been affected by a data breach at the medical transcription firm, Perry Johnson and Associates (PJ&A). The Cedar Rapids, IA, 450-bed hospital explained that there was no breach of its own systems; however, data provided to PJ&A to allow the firm to perform its contracted duties had been exposed and potentially stolen.
PJ&A discovered on May 2, 2023, that unauthorized individuals had gained access to its network and third-party cybersecurity experts were engaged to investigate the incident. PJ&A determined that Mercy Medical Center data was involved on October 5, 2023, and informed Mercy Medical Center on October 10, 2023, that a backup of a database had been obtained by the hackers that included the data of its patients. The review of the data confirmed that names, dates of birth, addresses, admission/discharge dates, Social Security numbers, and medical examination information had been stolen.
PJ&A issued notifications on behalf of many of its clients and reported the data breach to the HHS’ Office for Civil Rights on November 3, 2023, as affecting 8.95 million individuals; however, Mercy Medical Center chose to report the breach to the HHS directly and sent individual notifications on December 8, 2023. It took Mercy Medical Center 2 months from being notified about the breach to perform the necessary steps to allow notifications to be issued. Mercy Medical Center has arranged complimentary credit monitoring services for the affected patients and has confirmed that it is no longer using PJ&A’s medical transcription services.
Individuals Affected: 97,132
Crouse Health (NY)
Syracuse, NY-based Crouse Health has confirmed that it was affected by the PJ&A data breach and that patients had the following types of information exposed: first and last name, date of birth, address, sex, phone number, medical record number, health insurance information, dates of admission and discharge, attending physician identifiers, hospital room number, and visit type. Fewer than 10% also had a transcript of care dictated by the patient’s physician, and/or the patient’s Social Security number. PJ&A has notified the affected patients.
Individuals Affected: Undisclosed
PJ&A Data Breach Investigations and Lawsuits
All data breaches affecting 500 or more individuals are investigated by the HHS’ Office for Civil Rights to determine if there have been failures to comply with the HIPAA Rules. State Attorneys General also investigate data breaches and can impose civil monetary penalties for violations of HIPAA and state laws. PJ&A has only disclosed limited information about the nature of the breach so far and, based on the information available, there are no indications that any federal or state data security regulations have been violated.
Class action lawsuits are commonly filed after healthcare data breaches and a breach of this magnitude is likely to see many class action lawsuits filed. As of December 20, 2023, more than two dozen lawsuits have been filed against PJ&A over the data breach, all of which make similar claims – That PJ&A was negligent for failing to implement appropriate safeguards to protect patient data. A motion has been filed to consolidate the lawsuits which is due to be heard by the U.S. Judicial Panel on Multidistrict Litigation on January 25, 2023.
While the data breach occurred at PJ&A, several lawsuits have also been filed against the healthcare providers that used PJ&A for medical transcription, including Northwell Health.
One of Many Large Data Breaches in 2023
This year is on track to be another bad year for healthcare data breaches. As of November 15, 2023, 583 data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights, but it is the size of the data breaches that is most alarming. So far this year, the protected health information of 102,407,662 individuals has been confirmed as exposed or stolen, which is almost double the 51,903,629 records that were breached in 2023. If large data breaches continue to be reported at current rates, 2023 looks set to become the worst-ever year in terms of the number of breached records.
OCR recently confirmed that hacking incidents now account for 77% of healthcare data breaches, and there has been a 239% increase in large data breaches in the past 4 years and a 278% increase in ransomware attacks. The number of data breaches being reported indicates healthcare providers are struggling with cybersecurity in the face of increasingly sophisticated and numerous attacks.
New York recently announced that it is taking steps to address the problem by introducing stricter cybersecurity regulations for hospitals after a series of cyberattacks that affected patient care. New York Governor Kathy Hochul also confirmed that $500 million has been made available to help hospitals make the necessary improvements to cybersecurity. New York is leading the way by taking steps to improve healthcare cybersecurity but given the seriousness of the problem, this should not be a matter for individual states to try to resolve. More needs to be done by Congress to combat the problem, such as updates to HIPAA and/or financial incentives and assistance for improving cybersecurity.