Concentra Health Services Sued Over PJ&A Data Breach

Posted by Steve Alder

Concentra Health Services is facing a class action lawsuit over a data breach at one of its business associates that exposed the data of almost 4 million of its patients.  Concentra used the transcription service provider PJ&A and during the normal course of business, PJ&A had access to patients protected health information (PHI). PJ&A detected suspicious activity within its network on May 2, 2023, and the forensic investigation confirmed that unauthorized individuals had access to its systems between March 27, 2023, and May 2, 2023, and acquired sensitive information. In January 2024, Concentra confirmed that the PHI of 3,998,162 patients was compromised in the attack. In total, the PJ&A data breach is known to have affected more than 14 million individuals.

A lawsuit has recently been filed against Concentra Health Services Inc., its parent company Select Medical Holdings Inc., and Perry Johnson & Associates Inc., by plaintiff Stephen Tate, whose sensitive information was compromised in the attack.  According to the lawsuit, the hackers behind the attack gained access to a system where the data of Concentra patients was stored between April 7 and April 19, 2023. The compromised information included names, dates of birth, addresses, Social Security numbers, insurance and clinical information, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service.

According to the lawsuit, the defendants must comply with the Health Insurance Portability and Accountability Act (HIPAA) which requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), but the defendants willfully, recklessly, or negligently maintained patient data, which was neither properly secured nor encrypted, even though there had been a substantial increase in cyberattacks prior to the PJ&A data breach and numerous warnings had been issued by federal agencies about the high risk of cyberattacks on healthcare organizations and their business associates.

Further, prompt notifications were not issued to the affected individuals, who did not find out that they had been affected until several months after the breach occurred. The delay in notification allowed cybercriminals to monetize, misuse, or disseminate the stolen data before the victims could take steps to protect themselves. The plaintiff alleges that it took PJ&A until November 2023 to notify Concentra about the breach, and Concentra didn’t issue individual notifications until February 2024, more than 6 months after the data breach occurred.

The plaintiff claims to have spent considerable time mitigating the impact of the data breach and will be forced to continue to spend time monitoring his accounts and taking other steps to protect himself against identity theft and fraud.  The lawsuit makes four claims for relief: negligence, breach of implied contract, unjust enrichment, and breach of confidence. The lawsuit seeks class action certification, a jury trial, monetary relief – including actual damages, statutory damages, equitable relief, restitution, disgorgement, and statutory costs – and injunctive relief, as well as the cost of a lifetime of credit monitoring and identity theft protection services.

The plaintiff and class are represented by Tiffany Marko Yiatras and Francis J. Casey of Consumer Protection Legal, LLC.

The post Concentra Health Services Sued Over PJ&A Data Breach appeared first on HIPAA Journal.

Tennessee Orthopaedic Clinics Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Knoxville, TN-based Tennessee Orthopaedic Clinics has agreed to settle a class action lawsuit that was filed in response to a March 2023 cyberattack and data breach that affected 46,679 individuals. The information exposed included names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and/or health insurance information.

The affected individuals were notified about the breach in early May, and a class action lawsuit was rapidly filed that claimed Tennessee Orthopaedic Clinics was negligent by failing to implement reasonable and appropriate cybersecurity measures. According to the lawsuit, the data breach could have been prevented if those measures had been implemented.  Tennessee Orthopaedic Clinics chose to settle the lawsuit with no admission of wrongdoing to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals who were notified about the data breach may submit claims for ordinary expenses such as communication charges, credit expenses, bank fees, and lost time (max 3 hours at $20 per hour) up to a maximum of $1,500.

Claims of up to $4,000 may also be submitted for documented extraordinary expenses such as losses due to fraud or identity theft between March 20, 2023, and April 8, 2024, provided the claimant made reasonable efforts to avoid those losses and those losses have not already been reimbursed. All class members are also entitled to two years of single bureau credit monitoring and identity theft protection services. The deadline for exclusion or objection to the settlement has passed, and the final approval hearing was scheduled for March 14, 2024. Class members wishing to submit claims must do so by April 8, 2024.

The post Tennessee Orthopaedic Clinics Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.