Healthcare , Incident & Breach Response , Industry Specific

Iowa Medical Center Latest Victim of Transcription Firm Hack

Lawsuits Keep Stacking Up Against Perry Johnson and Associates
Iowa Medical Center Latest Victim of Transcription Firm Hack
Mercy Medical Center in Iowa is the latest healthcare entity to report a large breach linked to a hack earlier this year on its former medical transcription vendor, Perry Johnson and Associates. (Image: Mercy Medical Center)

An Iowa medical center is among the latest healthcare entities reporting to federal regulators a breach tied to a hacking incident earlier this year at medical transcription vendor Perry Johnson and Associates.

See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience

Mercy Medical Center, a 450-bed Catholic hospital in Cedar Rapids, Iowa, reported to the U.S. Department of Health and Human Services on Dec. 8 that 97,132 patients had been affected in the hacking incident involving the transcription vendor.

The hospital said in a breach notice that it is a "former" Perry Johnson client and that the incident did not involve unauthorized access to any of Mercy Medical Center's computer systems or affect the ability to provide care to patients.

Mercy said the vendor discovered it had suffered a data security incident on or around May 2 and contacted the hospital to say that it had been among the organizations affected.

In response to the incident, Perry Johnson launched an investigation, retained a third-party cybersecurity expert and worked to ensure that the threat had been contained, Mercy said. "After further investigation, PJ&A determined the unauthorized party had obtained the backup files for a database which contained customer data for several organizations, including Mercy Medical Center."

The vendor notified Mercy Medical Center about the breach on Oct. 10.

Mercy patient information that was compromised includes name, birthdate, address, Social Security number and dates of admission, discharge, and medical exams.

PJ&A reported the hacking incident to federal regulators on Nov. 3 as affecting about 8.95 million individuals.

Other clients or former clients that have issued breach notices in recent weeks include Cook County Health in Illinois, where about 1.2 million patients affected, and Syracuse, New York-based non-profit Crouse Health, which has not disclosed how many patients were affected (see: NY AG Warns of ID Theft Risk in Medical Transcription Hack).

As of Tuesday, Perry Johnson faces more than two dozen putative federal class action lawsuits. The lawsuit complaints make similar allegations, including that the company was negligent in failing to protect plaintiffs' and class members' sensitive information from compromise, and violated a variety of state or federal regulations.

On Dec. 8, several class action plaintiffs filed a joint motion to consolidate all class actions stemming from the PJ&A data breach. The U.S. Judicial Panel on Multidistrict Litigation is slated to hear the motion on Jan. 25.

While lawsuits in the aftermath of large breaches are common, the race by so many affected individuals to file lawsuits against PJ&A in this case reflects the disturbing circumstances of a transcription company being hacked, some experts said.

"A medical transcription vendor hack is particularly worrisome because it may expose very sensitive information about a patient in excruciating detail," said regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the PJ&A cases.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.