A lawsuit related to a wide-ranging healthcare data breach affecting nearly 9 million people last year has been filed against Bon Secours Mercy Health System and Perry Johnson & Associates, a third-party transcription services provider.
The suit, filed Tuesday in U.S. District Court in Nevada, stems from a data breach that occurred between March and May 2023.
Related article: MOVEit breach hits Johns Hopkins, other health systems
The breach, which affected the network systems of Perry Johnson, compromised personal health and identification information of patients across multiple organizations, according to data from the Health and Human Services Department's Office for Civil Rights.
The suit, filed by a Kentucky patient of Mercy Health's Cincinnati-area facilities who alleges she was affected by the breach, seeks class-action status and a jury trial. The suit seeks compensatory and punitive damages.
The complaint alleges the health system and Perry Johnson & Associates had a duty to protect information and failed to follow reasonable cybersecurity standards or provide proper notice. The patient alleges she was not notified about the breach until Nov. 8.
Perry Johnson announced the breach Nov. 1 on its website and said it had begun notifying individuals whose information may have been compromised.
Lawsuits making similar allegations have been filed against other health systems and the vendor.
A spokesperson for Bon Secours declined to comment, citing the pending litigation. The health system has not said how many patients were potentially affected.
Last year, a record-setting 727 breaches involving healthcare data, affecting 133.2 million people, were reported to HHS. More than a dozen cybersecurity incidents have been filed with HHS this month.