3rd Party Risk Management , Breach Notification , Cybercrime
Therapy Provider Notifying 4 Million Patients of PJ&A Hack
Concentra Health Services Joins List of Those Affected in Transcriber's Data BreachA Texas-based physical and occupational therapy provider is notifying nearly 4 million patients that they have joined the soaring tally of victims of a data theft incident at a Nevada medical transcription vendor last year.
See Also: Using the Netskope HIPAA Mapping Guide
Concentra Health Services reported to the U.S. Department of Health and Human Services on Jan. 9 that the 2023 hack of Perry Johnson & Associates had affected 3.9 million of its patients. The compromise of the medical transcriber appears to have exposed the personal data of at least 14 million patients and counting (see: Medical Transcriber's Hack Breach Affects at Least 9 Million).
PJ&A reported the hacking incident to HHS' Office for Civil Rights in November as affecting nearly 9 million individuals. So far, a growing list of organizations have disclosed they are among the PJ&A clients affected.
While PJ&A has not publicly named all its clients that were affected by the hack, Concentra, like some other affected entities, has filed its own breach report to HHS OCR, separate from the one submitted by PJ&A. The medical transcriber hasn't disclosed the total number of people affected by the hack in consideration of the separate breach reports various clients have filed on their own to HHS OCR. But that total appears to be at least 14 million individuals, so far.
Northwell Health, the largest health delivery organization in New York, was also among several PJ&A clients last fall disclosing it too was stung by the incident, with about 3.9 million patients affected, putting that breach just about tied with Concentra's PJ&A compromise, in terms of the large numbers of patients affected.
Another large healthcare provider in New York - Crouse Health - reported that an undisclosed number of its patients had been affected in the PJ&A incident.
The PJ&A hack prompted New York's attorney general in November to issue a public warning about potential ID theft and fraud risks facing affected patients in the wake of the incident (see: NY AG Warns of ID Theft Risk in Medical Transcription Hack).
Meanwhile, litigation against PJ&A related to the hack continues to pile up. As of Friday, federal court records show that more than 40 proposed class action lawsuits have been filed in recent months against PJ&A, and some of them name the company's various clients as co-defendants.
One such proposed federal class action lawsuit complaint filed last week in Nevada against PJ&A and Ohio-based Mercy Health - another medical transcription client affected by the incident - alleges negligence and other claims against the organizations for their failure to safeguard patients' sensitive information.
PJ&A faces similar claims in dozens of the other lawsuits, which for the most part all seek financial damages and injunctive orders for the company to improve its data security.
In a breach notice posted on its website about the PJ&A incident, Concentra encouraged affected individuals "to remain vigilant against incidents of identity theft by reviewing their account statements, credit reports and explanations of benefits forms for unusual activity and to detect errors."
Concentra did not immediately respond to Information Security Media Group's request for additional details regarding the PJ&A breach, including whether any of the therapy provider's patients have reported ID theft or fraud incidents they suspect may be linked to the hack.
PJ&A in its breach notice said an "unauthorized party" had gained access to the company's network between March 27, 2023, and May 2, 2023, during which time the intruder acquired copies of certain files from PJ&A systems.
This incident did not involve access to any systems or networks of PJ&A's healthcare clients, the company said. Also, the information affected by the breach did not contain credit card information, bank account information or usernames or passwords, PJ&A said.
Files affected by the incident contained personal health information of certain individuals, including name, birthdate, address, medical record number, hospital account number, admission diagnosis, and dates and times of service.
For some individuals, affected information also includes Social Security number, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.
Prime Targets
Medical transcription firms have a number of inherent traits that make them appealing potential targets for hackers, some experts said.
First, medical transcription business are known to have "large volumes of detailed, patient-identified data that can be used for a variety of crimes, including fraud and blackmail," said Kate Borten, president of privacy and security consultancy The Marblehead Group.
Patients may be subject to scam sales of products related to their diagnosis, or the data can be used to submit fraudulent claims, she said, adding that "patients may be willing to pay a criminal in order to keep medical information secret."
Historically, many medical transcription companies were "mom and pop businesses with weak, minimal security and privacy controls in place, making them easy targets," Borten said. And any healthcare business associate that stores or has access to large volumes of detailed patient data is at higher risk of attacks involving data theft, she added.
"There are many such 'backroom' business associates that provide services to multiple covered entities. For example, companies that process patient records requests typically have access to most or all of patients' designated record sets," Borten said. This puts these firms in the crosshairs of hackers and other threat actors.
"These types of high-risk business associates should be identified by covered entities and upstream business associates and then prioritized for detailed review of their privacy and security policies and procedures," she said.
"In some cases, a covered entity may recommend or request improvements, such as a more robust destruction policy, and technical changes such as data segmentation. Business associates should view such recommendation as beneficial to their businesses, in terms of both reducing breach risk and enhancing the company's profile."
PJ&A did not immediately respond to Information Security Media Group's request for comment.