PJ&A Concentra

Concentra is the Latest Victim of the PJ&A Data Breach

Concentra Health Services, a Texas-based physical and occupational therapy provider, is notifying nearly 4 million patients that their protected health information (PHI) was breached at Perry Johnson & Associates (PJ&A) last year. Concentra is a customer of PJ&A, a medical transcription vendor and HIPAA business associate based in Nevada.  PJ&A provides medical transcription services to healthcare organizations and physicians across the country.

Concentra operates nationwide, with 540 medical centers and 140 onsite clinics at employer locations, as well as telemedicine for work-related illnesses and injuries.

Perry Johnson & Associates Breach is the Largest of 2023

Before the Concentra breach was reported on January 9, 2024, PJ&A’s healthcare data breach (affecting 9 million) was the second largest reported breach in 2023, behind HCA Healthcare (affecting 11.2 million). When the 4 million Concentra patients are included, the PJ&A breach is the largest of 2023, affecting 13 million.

PJ&A’s breach report to the U.S. Department of Health and Human Services (HHS) on November 3, 2003, did not identify all of the provider customers affected, nor did it include all the patients from all of its customers; several provider customers have come forward since then, and Concentra filed its own separate breach report.

Many other providers have disclosed they were affected by the PJ&A incident, although not all have filed breach reports. We assume the patient numbers of providers who didn’t file reports were included in PJ&A’s report.

  • Northwell Health, the most extensive healthcare delivery system in New York State, disclosed that 3.9 million patients were affected by the PJ&A data breach.
  • Crouse Health, also in New York, disclosed that an undisclosed number of its patients were affected.
  • Cook County Health in Illinois reported that the breach affected 1.2 million patients.

Because the PJ&A breach affected so many New Yorkers, New York State Attorney General Letitia James issued a Consumer Alert cautioning citizens to take action to prevent identity theft.

Some of the other providers affected by the PJ&A incident include Mercy Health (Ohio and Kentucky), North Kansas City Hospital (Missouri), Salem Regional Medical Center (Ohio), and Mercy Medical Center (Iowa).

The PHI compromised in the PJ&A breach includes names, birthdates, addresses, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service.

For some individuals, affected information also includes their Social Security number, insurance information, and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.

Lawsuits Follow a Large Breach

More than 40 class action lawsuits related to the cyber attack have been filed against PJ&A. Some of the lawsuits include the healthcare provider customers of PJ&A as defendants.

The lawsuits are similar, with many alleging negligence of the providers and PJ&A for their failure to safeguard patients’ PHI. Claims include breach of contract, breach of third-party beneficiary contract, breach of fiduciary duty, unjust enrichment, and violation of state consumer protection and privacy laws.

HIPAA Requires Business Associate Due Diligence

Even though the cyberattack happened at PJ&A, the covered entity providers are not off the hook.

Covered entities are required to conduct due diligence with their business associates. Covered entities must ask whether the vendor complies with HIPAA, has up-to-date policies and procedures, and has performed a HIPAA risk analysis. Finally, covered entities must enter a business associate agreement with third-party vendors.

The HIPAA E-Tool® can help covered entities and business associates understand their responsibilities under HIPAA. Don’t wait for a cyber attack to force you to strengthen your cybersecurity defenses. We have guidance and answers to your questions today.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU