Mercy Medical Center in Cedar Rapids, Iowa, has become the latest healthcare organization to report a breach tied to a hacking incident at medical transcription vendor Perry Johnson and Associates. The breach, affecting 97,132 patients, was reported to the U.S. Department of Health and Human Services on December 8. According to the hospital’s breach notice, Perry Johnson and Associates discovered the data security incident on or around May 2 and notified Mercy Medical Center, which was among the affected organizations. The breach did not involve unauthorized access to the medical center’s computer systems or impact patient care.
Patient information compromised in the breach includes names, birthdates, addresses, Social Security numbers, and dates of admission, discharge, and medical exams. Perry Johnson and Associates reported the hacking incident to federal regulators on November 3, estimating that approximately 8.95 million individuals were affected. The transcription vendor launched an investigation, hired a third-party cybersecurity expert, and worked to contain the threat. The unauthorized party obtained backup files for a database containing customer data for several organizations, including Mercy Medical Center.
The breach notice was sent to Mercy Medical Center on October 10, leading to the recent report to federal regulators. Perry Johnson now faces over two dozen putative federal class-action lawsuits, with allegations of negligence and violations of state or federal regulations in failing to protect sensitive information. Notable in the aftermath of this incident is the significant number of affected individuals filing lawsuits against Perry Johnson and Associates. The U.S. Judicial Panel on Multidistrict Litigation is set to hear a joint motion to consolidate these class actions on January 25.
The breach’s nature, involving a medical transcription vendor, raises concerns about the exposure of detailed and sensitive patient information. This incident adds to the growing list of healthcare organizations affected by cyberattacks, emphasizing the need for robust cybersecurity measures and vigilance within the healthcare sector to safeguard patient data.
