Concentra Health Services, a Texas-based physical and occupational therapy provider, is notifying nearly 4 million patients that their protected health information (PHI) was breached at Perry Johnson & Associates (PJ&A) last year. Concentra is a customer of PJ&A, a medical transcription vendor and HIPAA business associate based in Nevada.  PJ&A provides medical transcription services to healthcare organizations and physicians across the country.

Concentra operates nationwide, with 540 medical centers and 140 onsite clinics at employer locations, as well as telemedicine for work-related illnesses and injuries.

Perry Johnson & Associates Breach is the Largest of 2023

Before the Concentra breach was reported on January 9, 2024, PJ&A’s healthcare data breach (affecting 9 million) was the second largest reported breach in 2023, behind HCA Healthcare (affecting 11.2 million). When the 4 million Concentra patients are included, the PJ&A breach is the largest of 2023, affecting 13 million.

PJ&A’s breach report to the U.S. Department of Health and Human Services (HHS) on November 3, 2003, did not identify all of the provider customers affected, nor did it include all the patients from all of its customers; several provider customers have come forward since then, and Concentra filed its own separate breach report.

Many other providers have disclosed they were affected by the PJ&A incident, although not all have filed breach reports. We assume the patient numbers of providers who didn’t file reports were included in PJ&A’s report.

• Northwell Health, the most extensive healthcare delivery system in New York State, disclosed that 3.9 million patients were affected by the PJ&A data breach.
• Crouse Health, also in New York, disclosed that an undisclosed number of its patients were affected.
• Cook County Health in Illinois reported that the breach affected 1.2 million patients.

Because the PJ&A breach affected so many New Yorkers, New York State Attorney General Letitia James issued a Consumer Alert cautioning citizens to take action to prevent identity theft.

Some of the other providers affected by the PJ&A incident include Mercy Health (Ohio and Kentucky), North Kansas City Hospital (Missouri), Salem Regional Medical Center (Ohio), and Mercy Medical Center (Iowa).

The PHI compromised in the PJ&A breach includes names, birthdates, addresses, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service.

For some individuals, affected information also includes their Social Security number, insurance information, and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.

Lawsuits Follow a Large Breach

More than 40 class action lawsuits related to the cyber attack have been filed against PJ&A. Some of the lawsuits include the healthcare provider customers of PJ&A as defendants.

The lawsuits are similar, with many alleging negligence of the providers and PJ&A for their failure to safeguard patients’ PHI. Claims include breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, unjust enrichment, and violation of state consumer protection and privacy laws.

HIPAA Requires Business Associate Due Diligence

Even though the cyberattack happened at PJ&A, the covered entity providers are not off the hook.

Covered entities are required to conduct due diligence with their business associates. Covered entities must ask whether the vendor complies with HIPAA, has up-to-date policies and procedures, and has performed a HIPAA risk analysis. Finally, covered entities must enter a business associate agreement with third-party vendors.

The HIPAA E-Tool^® can help covered entities and business associates understand their responsibilities under HIPAA. Don’t wait for a cyber attack to force you to strengthen your cybersecurity defenses. We have guidance and answers to your questions today.