A Texas-based provider of physical and occupational therapy is alerting close to 4 million patients that they’ve become part of the increasing count of victims from a data breach incident at a Nevada medical transcription supplier last year.
On January 9, Concentra Health Services made a disclosure to the U.S. Department of Health and Human Services regarding a cyber breach that occurred in 2023 at Perry Johnson & Associates. This breach impacted 3.9 million of its patients. The intrusion into the medical transcription service revealed the personal information of a minimum of 14 million patients, a number that continues to grow (refer: Cyber Attack on Medical Transcription Service Impacts Over 9 Million).
In November, PJ&A informed HHS’ Office for Civil Rights about a cyber attack that impacted close to 9 million people. As of now, an increasing number of entities have come forward to reveal that they are part of the PJ&A clientele who were affected.
Though PJ&A has chosen to keep the identities of all its compromised clients confidential after the cyber attack, Concentra, along with a few others, has independently reported the breach to the HHS OCR, distinct from PJ&A’s report. The medical transcription service has yet to announce the entire count of people impacted by the cyber invasion, taking into account the individual breach reports that multiple clients have independently submitted to the HHS OCR. However, the current number of affected individuals is estimated to be at least 14 million.
Northwell Health, recognized as New York’s biggest health service provider, was one of the multiple clients of PJ&A that revealed its unfortunate entanglement in the incident last autumn. Approximately 3.9 million patients were impacted, making this security breach almost on par with the one that hit Concentra, also a PJ&A client. Both incidents were significant due to the massive number of patients affected.
Crouse Health, a significant healthcare provider in New York, has disclosed that an unknown quantity of its patients were impacted in the PJ&A incident.
The cyber intrusion at PJ&A led to the Attorney General of New York issuing a public alert in November, cautioning impacted individuals about the possible dangers of identity theft and fraudulent activities emanating from the incident (see: ID Theft Risk in Medical Transcription Hack – A Warning from NY’s AG).
In the meantime, the legal battles against PJ&A due to the cyber breach keep accumulating. Based on federal court documents as of Friday, over 40 prospective group lawsuits have been lodged against PJ&A in the past few months. Interestingly, some of these lawsuits also list the company’s diverse clientele as joint defendants.
A federal class action lawsuit was recently lodged in Nevada against PJ&A and Mercy Health, a medical transcription client based in Ohio. This litigation, proposed last week, accuses these establishments of negligence and other charges due to their inability to protect the confidential data of their patients.
PJ&A is confronted with comparable allegations in numerous other legal actions, which predominantly aim to obtain monetary compensation and court directives for the firm to enhance its data protection measures.
In an advisory published on their website regarding the PJ&A event, Concentra urged those impacted to stay alert for potential identity theft instances. They suggested this could be done by regularly checking their account summaries, credit histories, and benefit explanation documents for any odd operations or discrepancies.
Concentra didn’t promptly reply to the Information Security Media Group’s request for more information about the PJ&A breach. This includes if any patients of the therapy provider have reported incidents of identity theft or fraud that they suspect might be related to the cyber attack.
In their security breach announcement, PJ&A stated that a “third-party intruder” had managed to infiltrate their company’s network. This security compromise occurred over the period from March 27, 2023, to May 2, 2023. During this span, the unauthorized individual succeeded in obtaining duplicates of specific files from PJ&A’s systems.
PJ&A affirmed that the event did not compromise any systems or networks related to their healthcare clients. Additionally, the data impacted by the intrusion did not include details like credit card data, bank account credentials, or login information, according to PJ&A.
The incident impacted files that held specific individuals’ personal health data. This included details such as their name, date of birth, residence, medical record identification, hospital account identification, initial diagnosis upon admission, as well as the dates and hours when they were serviced.
For certain people, the compromised data may also encompass their Social Security number, insurance details, and medical records from transcription files. This could include laboratory and diagnostic test outcomes, prescribed drugs, the name of the healthcare facility where they received treatment, and the identities of their healthcare providers.
Top on the Hit List
Certain qualities intrinsic to medical transcription companies make them attractive prospects for cybercriminals, according to some professionals in the field.
To begin with, enterprises in the medical transcription industry are recognized for possessing extensive quantities of specific, patient-related information. This data can be exploited for numerous unlawful activities, like deceit and extortion, according to Kate Borten, the head of The Marblehead Group, a privacy and security consulting firm.
Individuals could potentially fall prey to fraudulent sales of items linked to their medical condition, or their personal data could be misused for false insurance claims, she explained. She further noted that “individuals might be prepared to give money to a fraudster to maintain the confidentiality of their health records.”
In the past, a lot of medical transcription firms were essentially small-scale family businesses that lacked robust security and privacy measures, making them susceptible to attacks, according to Borten. Furthermore, she noted that any healthcare associate dealing with storage or access to a considerable amount of intricate patient data is more prone to security breaches involving data theft.
Numerous ‘behind-the-scenes’ business partners offer services to a range of covered entities. Take for instance, corporations dealing with patient records requests usually possess access to a significant portion, if not all, of a patient’s specific record sets, according to Borten. Consequently, these companies become prime targets for hackers and various other potential threats.
“She emphasized that entities covered and their upstream business partners need to spot out those business associates who pose a high risk. After identifying them, a thorough evaluation of their privacy and security policies and procedures should be conducted as a priority,” she stated.
“Occasionally, an entity with certain responsibilities may suggest or propose enhancements, like a stronger policy for data elimination and technical modifications like data partitioning. Business partners ought to perceive these suggestions as advantageous for their operations, both in the aspect of lessening the threat of data leaks and boosting the company’s reputation.”