Navigating the Legal Fallout of a Data Breach Involving 14 million People

PJ&A is the largest privately owned provider of transcription services in the United States. Last year an unauthorized party gained access to its network between March 27, 2023, and May 2, 2023, exposing the personal data of more than nine million people. The breach exposed the personal data of over nine million individuals and included sensitive information such as Social Security numbers (SSN), insurance details, diagnostic testing results, medications, and clinical data from medical transcription files. The company retained the services of a third-party cybersecurity vendor to contain the threat, assist in the investigation and increase the company’s security posture against similar attacks. The attack on PJ&A alone made it one of the largest attacks reported to the HHS’ Office for Civil Rights last year.

In the aftermath, several clients of PJ&A have also reported breaches linked to this incident. Notably, on January 9, 2024, Concentra, a Texas-based provider specializing in physical and occupational health, reported that nearly 4 million of its patients’ information was compromised due to the PJ&A attack, raising the total affected to approximately 14 million people. Additionally, other organizations like Salem Community Hospital in Ohio and Cincinnati’s Bon Secours Mercy Health have disclosed breaches, further indicating the widespread impact of the security incident on PJ&A’s business partners.

Following the disclosure of the cyberattacks, over 40 lawsuits have been initiated against PJ&A, with some cases also implicating the healthcare organizations impacted by the breach as co-defendants. Among these, an Ohio patient has launched a class-action lawsuit against both PJ&A and Bon Secours Mercy Health. Additional legal actions involve major entities such as Northwell Health, New York’s largest health system, and Salem Community Hospital. The lawsuits argue that the cyber and data security measures employed by the defendants were insufficient, enabling cybercriminals to access highly sensitive personal information. They further allege that the defendants failed to implement adequate cybersecurity protocols and did not promptly notify the affected individuals of the data compromise, with a notification delay of up to seven months from the breach’s occurrence and six months from when the defendants became aware of it.

The PJ&A cyberattack exemplifies the ripple effect a single vendor breach can have, affecting countless individuals and leading to a mounting number of lawsuits. In today’s interconnected business ecosystem, safeguarding only your own network is no longer sufficient. Conducting thorough security assessments of all vendors to evaluate their cybersecurity practices is crucial to protect the interests of your own organization and your customers. Businesses need to incorporate strong contractual agreements that specify cybersecurity requirements and responsibilities that their vendors must adhere to protect themselves both legally and financially. Such agreements should be supplemented with continuous monitoring of vendor activities and ensuring they have incident response plans (IRP) in place that allow for quick action if a breach occurs.

Achieving this level of security necessitates a comprehensive understanding of potential risks and a strategic framework for mitigation. This is where an outside dedicated cybersecurity firm such as HALOCK Security Labs team can provide insights and strategies that your organization may not be familiar with so you can reduce your risk exposure before the dominoes begin falling one day and disrupt the operations and lives of so many individuals and entities.