- Bon Secours Mercy Health and a medical transcription services vendor, Perry Johnson & Associates, are facing a lawsuit after a data breach at PJ&A last year may have exposed the personal information of millions of patients.
- The class action suit, filed in the U.S. District Court for the District of Nevada last week, alleges the health system and PJ&A failed to implement cybersecurity standards or promptly alert people whose data may have been compromised, leaving them vulnerable to identify theft and financial fraud.
- The breach at PJ&A has led to a number of other lawsuits, including one against an Ohio nonprofit hospital and another targeting New York-based Northwell Health.
Data breaches have exposed health information from hundreds of millions of patients over the past decade, and hacking incidents in particular have surged in recent years.
The number of patient records exposed doubled year over year in 2023 as breaches that compromised more than two million records increased, according to a report from cybersecurity firm Fortified Health Security.
The latest lawsuit includes a Kentucky resident who visited Mercy Health facilities around Cincinnati. She allegedly received a notice from PJ&A in November, about four months after the breach was discovered in late July.
The PJ&A breach exposed the data of nearly nine million people and was one of the largest reported to the HHS’ Office for Civil Rights last year. The vendor reported an unauthorized party gained access to its network between March 27-May 2, and took copies of some files.
Information compromised varied between individuals, but it could include names, addresses, admission diagnoses and dates of services, according to a breach notification from the vendor. For some people, Social Security numbers, insurance details and clinical information could have been involved.
The suit alleged the vendor and health system also failed to comply with reasonable cybersecurity standards.
“The information compromised in the Data Breach — including Social Security numbers — is much more valuable than the loss of credit card information in a retailer data breach,” the lawsuit reads. “There, victims can simply close their credit and debit card accounts and potentially even rely on automatic fraud protection offered by their banks. Here, however, the information compromised is much more difficult, if not impossible, for consumers to re-secure after being stolen.”
Bon Secours Mercy Health said it can’t comment on specifics of pending litigation, but a spokesperson told Healthcare Dive the lawsuit is “without merit, as PJ&A is a third-party vendor and not one with whom we contract directly.”
PJ&A didn’t respond to a request for comment by press time.