Company tied to 'quality guru' Perry Johnson at center of massive medical data breach

Paul Egan, Detroit Free Press
Updated ·3 min read
1

LANSING — A Michigan millionaire politician who calls himself the "quality guru" is facing a raft of corporate lawsuits over a massive medical data breach.

The suits, including one filed Friday in federal court in Detroit, have been brought against Perry Johnson & Associates Inc., a health care consulting and medical transcription firm.

Michigan businessman and politician Perry Johnson
Michigan businessman and politician Perry Johnson

The company is registered in Nevada but has offices in Troy at the world headquarters of Perry Johnson Inc. — the firm headed by Perry Johnson, of Bloomfield Hills, who ran unsuccessfully as a 2022 Republican candidate for governor of Michigan and as a 2024 candidate for president. Johnson said during a Friday taping of the WKAR-TV public affairs program "Off the Record" that he is still interested in becoming governor of Michigan.

Johnson, who spent more than $20 million of his own money on the two bids for elected office, campaigned as a "quality guru," but was one of several candidates kicked off the Michigan primary ballot after election officials found large numbers of forged signatures in his nominating petitions. Criminal charges are pending against principals of firms hired to collect signatures for Johnson and others.

Now, a privately held company that bears Johnson's name has been targeted in a cyberattack that has compromised the medical and other personal data of close to 10 million people around the U.S., according to The HIPAA Journal, an online publication that specializes in news related to the federal health privacy law, the Health Insurance Portability and Accountability Act.

The proposed class-action filed in Detroit on behalf of a New York woman, alleges the breach was the result of the company's "failure to secure and safeguard (her) and millions of other individuals' personal identifying information." The company failed to "implement and maintain reasonable security procedures and practices," the suit alleges. It says the Perry Johnson & Associates servers that were breached are located in Michigan and it makes claims for negligence and unjust enrichment.

Elizabeth Giannone, a spokeswoman for Johnson, said Tuesday he has no comment on the data breach or the lawsuits "at this time." The receptionist at the Nevada office of Perry Johnson & Associates directed questions to an email address, but there was no response to an email sent Monday. A message left for Johnson Monday at his Troy office was not returned. Perry Johnson & Associates was among the Johnson companies featured in a 2022 Bridge Michigan feature about Johnson, during his campaign for governor.

Several other lawsuits were filed earlier, in Nevada and elsewhere, records show. Johnson is not named personally as a defendant in the lawsuits.

Perry Johnson & Associates discovered the data breach in July but did not report it to the federal government until November, according to statements from the company.

The breach affected Northwell Health, which is New York's largest health system, as well as medical facilities in Missouri, Illinois, Iowa and Ohio. No medical facilities in Michigan have been connected to the breach.

The company said in a November news release that compromised information could include names, addresses, dates of birth, medical record numbers, hospital account numbers, admission diagnoses, dates/times of service, Social Security numbers, insurance information, and medical and clinical information such as diagnostic testing results. No credit card information, bank account information, or usernames and passwords were part of the data breach, the company said.

The release said the company confirmed there was unauthorized access to its network from March 27 to May 2 of last year. The company notified its clients about the breach in July before notifying the Office for Civil Rights in the U.S. Department of Health and Human Services on Nov. 2, the release said.

Contact Paul Egan: 517-372-8660 or pegan@freepress.com. Follow him on Twitter @paulegan4.

This article originally appeared on Detroit Free Press: Perry Johnson company sued over massive medical data breach