Skip to main content
close search
site logo
Dive Brief

Ohio hospital, vendor hit with class action suit after data breach

The suit alleges Salem Community Hospital and Perry Johnson & Associates waited months before informing affected individuals.

Published Dec. 22, 2023
Emily Olsen's headshot
Reporter
A single opened padlock glows red among rows of closed blue padlocks.
JuSun via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • A nonprofit hospital in Ohio and a medical transcription services company are facing a class action lawsuit after a data breach at the vendor earlier this year may have exposed personal and health information of nearly nine million people. 
  • The suit, filed this week in a district court in Ohio, alleges Salem Community Hospital and Perry Johnson & Associates, or PJ&A, waited six months to inform people who could have been affected by the breach, leaving patients vulnerable to identify theft. 
  • The plaintiffs also argued the hospital and vendor failed to implement cybersecurity best practices or adequately train staff, even as the risk of data breaches increases in the healthcare sector.

Dive Insight:

Breaches have become more common at healthcare organizations over the past decade, potentially exposing hundreds of millions of patients’ sensitive personal and health data. 

Large breaches reported to the HHS’ Office for Civil Rights increased 93% from 2018 to 2022, with those involving ransomware increasing by 278%.

Data breaches are costly for health systems and cyberattacks can sometimes derail operations for weeks

The PJ&A breach, which was one of the larger healthcare data breaches reported to the OCR this year, may have exposed personal information like names, birth dates, addresses, medical record numbers, hospital account numbers, admission diagnoses and dates and times of services. 

An unauthorized party gained access to the vendor’s network between March 27 and May 2.

Several other health systems have disclosed their patient data may have been compromised in the breach at the vendor, including Crouse Health, Northwell Health, Cook County Health and Mercy Health. PJ&A began sending letters to affected individuals at the end of October, according to a breach notification.

The lawsuit alleges defendants became aware of the breach in May, and letters weren’t sent until Nov. 10. 

“Thus, Defendants inexplicably waited six months before informing Class Members of the Data Breach, even though Plaintiffs and the Class Members had their most sensitive personal information accessed, exfiltrated, and stolen [...],” according to the lawsuit.

A Salem spokesperson told Healthcare Dive the hospital doesn’t comment on pending litigation. PJ&A didn’t respond to a request for comment by press time. 

Recommended Reading

Filed Under: Hospitals, Health IT

Editors' picks

Company Announcements

View all | Post a press release
Healthworx partners with Highmark Inc, LifeBridge Health for new accelerator program
From Healthworx
July 30, 2024
MindMetrix Launches Comprehensive Mental Health Assessment Tool for Hospitals, Practices, and …
From MindMetrix
August 08, 2024
Catalyst Solutions to lead the Medicaid Modernization Panel at MESC24 on State of Florida's Mo…
From Catalyst Solutions
August 02, 2024
Wiley to Expand Reach and Impact of Medical Education Programs to More Than 2.8 million Health…
From Wiley
July 31, 2024
Editors' picks
Latest in Hospitals
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell