Source: www.databreachtoday.com – Author: 1
Healthcare
,
Incident & Breach Response
,
Industry Specific
Lawsuits Keep Stacking Up Against Perry Johnson and Associates
Marianne Kolbasuk McGee (HealthInfoSec) •
December 19, 2023
An Iowa medical center is among the latest healthcare entities reporting to federal regulators a breach tied to a hacking incident earlier this year at medical transcription vendor Perry Johnson and Associates.
See Also: JavaScript and Blockchain: Technologies You Can’t Ignore
Mercy Medical Center, a 450-bed Catholic hospital in Cedar Rapids, Iowa, reported to the U.S. Department of Health and Human Services on Dec. 8 that 97,132 patients had been affected in the hacking incident involving the transcription vendor.
The hospital said in a breach notice that it is a “former” Perry Johnson client and that the incident did not involve unauthorized access to any of Mercy Medical Center’s computer systems or affect the ability to provide care to patients.
Mercy said the vendor discovered it had suffered a data security incident on or around May 2 and contacted the hospital to say that it had been among the organizations affected.
In response to the incident, Perry Johnson launched an investigation, retained a third-party cybersecurity expert and worked to ensure that the threat had been contained, Mercy said. “After further investigation, PJ&A determined the unauthorized party had obtained the backup files for a database which contained customer data for several organizations, including Mercy Medical Center.”
The vendor notified Mercy Medical Center about the breach on Oct. 10.
Mercy patient information that was compromised includes name, birthdate, address, Social Security number and dates of admission, discharge, and medical exams.
PJ&A reported the hacking incident to federal regulators on Nov. 3 as affecting about 8.95 million individuals.
Other clients or former clients that have issued breach notices in recent weeks include Cook County Health in Illinois, where about 1.2 million patients affected, and Syracuse, New York-based non-profit Crouse Health, which has not disclosed how many patients were affected (see: NY AG Warns of ID Theft Risk in Medical Transcription Hack).
As of Tuesday, Perry Johnson faces more than two dozen putative federal class action lawsuits. The lawsuit complaints make similar allegations, including that the company was negligent in failing to protect plaintiffs’ and class members’ sensitive information from compromise, and violated a variety of state or federal regulations.
On Dec. 8, several class action plaintiffs filed a joint motion to consolidate all class actions stemming from the PJ&A data breach. The U.S. Judicial Panel on Multidistrict Litigation is slated to hear the motion on Jan. 25.
While lawsuits in the aftermath of large breaches are common, the race by so many affected individuals to file lawsuits against PJ&A in this case reflects the disturbing circumstances of a transcription company being hacked, some experts said.
“A medical transcription vendor hack is particularly worrisome because it may expose very sensitive information about a patient in excruciating detail,” said regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the PJ&A cases.
Original Post url: https://www.databreachtoday.com/iowa-medical-center-latest-victim-transcription-firm-hack-a-23929
Category & Tags: –
