Concentra Health Services Sued Over PJ&A Data Breach
Concentra Health Services is facing a class action lawsuit over a data breach at one of its business associates that exposed the data of almost 4 million of its patients. Concentra used the transcription service provider PJ&A and during the normal course of business, PJ&A had access to patients protected health information (PHI). PJ&A detected suspicious activity within its network on May 2, 2023, and the forensic investigation confirmed that unauthorized individuals had access to its systems between March 27, 2023, and May 2, 2023, and acquired sensitive information. In January 2024, Concentra confirmed that the PHI of 3,998,162 patients was compromised in the attack. In total, the PJ&A data breach is known to have affected more than 14 million individuals.
A lawsuit has recently been filed against Concentra Health Services Inc., its parent company Select Medical Holdings Inc., and Perry Johnson & Associates Inc., by plaintiff Stephen Tate, whose sensitive information was compromised in the attack. According to the lawsuit, the hackers behind the attack gained access to a system where the data of Concentra patients was stored between April 7 and April 19, 2023. The compromised information included names, dates of birth, addresses, Social Security numbers, insurance and clinical information, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service.
According to the lawsuit, the defendants must comply with the Health Insurance Portability and Accountability Act (HIPAA) which requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), but the defendants willfully, recklessly, or negligently maintained patient data, which was neither properly secured nor encrypted, even though there had been a substantial increase in cyberattacks prior to the PJ&A data breach and numerous warnings had been issued by federal agencies about the high risk of cyberattacks on healthcare organizations and their business associates.
Further, prompt notifications were not issued to the affected individuals, who did not find out that they had been affected until several months after the breach occurred. The delay in notification allowed cybercriminals to monetize, misuse, or disseminate the stolen data before the victims could take steps to protect themselves. The plaintiff alleges that it took PJ&A until November 2023 to notify Concentra about the breach, and Concentra didn’t issue individual notifications until February 2024, more than 6 months after the data breach occurred.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The plaintiff claims to have spent considerable time mitigating the impact of the data breach and will be forced to continue to spend time monitoring his accounts and taking other steps to protect himself against identity theft and fraud. The lawsuit makes four claims for relief: negligence, breach of implied contract, unjust enrichment, and breach of confidence. The lawsuit seeks class action certification, a jury trial, monetary relief – including actual damages, statutory damages, equitable relief, restitution, disgorgement, and statutory costs – and injunctive relief, as well as the cost of a lifetime of credit monitoring and identity theft protection services.
The plaintiff and class are represented by Tiffany Marko Yiatras and Francis J. Casey of Consumer Protection Legal, LLC.
