The vendor’s data breach impacted 1.1 million people, but it took the company 2 years to catch.
The Big Picture
MCG Health, a Seattle-based tech company, is part of the Hearst Health network and helps provide healthcare organizations with clinical expertise, software, and analytics. They also utilize artificial intelligence to help their partner hospitals make care decisions. Health plans, Electronic Health Record (EHR) platforms, and hospitals use MCG’s services. According to their website, most U.S. health plans and over 3,100 hospitals use their software and guidance.
Unfortunately, on March 25th, 2022, the company discovered a data breach had previously taken place. The company reported the breach to the Maine Attorney General’s office on June 6th, 2022. In their initial report, they claimed that 1.1 million had been impacted, but in a breach notification issued to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), MCG amended the number to 800,000 individuals.
While updates to breach numbers are fairly common as investigations unfold, the breach had also not been caught for an exceptionally long time–two years.
In MCG’s description of the breach, the organization explained uncertainty regarding when the incident occurred. “Based on a third-party analysis of the data, there is evidence to suggest the data may have been acquired by an unauthorized party on or around February 25-26, 2020,” the report read.
Class action lawsuits have become considerably more common, and now, nearly five years after the breach took place, a settlement has been reached for $8.8 million.
The Breach Details
Ultimately, it’s believed the breach went nearly two years without being discovered, a rarity in the healthcare industry. MCG did not disclose what hacking organization may have been responsible for the violation and no group has claimed it.
In their notification letter, MCG said impacted information included names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender information. After the incident was discovered on March 25, 2022, MCG said they “took steps to understand its nature and scope” by hiring an investigation firm and coordinating with the FBI. MCG said they have “deployed additional monitoring tools and will continue to enhance the security systems.”
According to the HHS, the incident impacted 10 client entities, which included:
- Indiana University Health in Indianapolis, IA
- Jefferson County Health Center in Fairfield, IA
- CHI Health in Omaha, NE
- Avera Health in Sioux Falls, SD
- UNC Lenoir Health Care. in Kinston, NC
- Henry County Medical Center in Paris, TN
- Newman Regional Medical Center in Emporia, KS
- Phelps Health Medical Group in Rolla, MO
- Copley Hospital in Morrisville, VT
- Catholic Health Initiatives in Englewood, CO
The Lawsuit
Multiple class action lawsuits were filed in 2022 and ultimately consolidated. The lawsuit claims that MCG was negligent in protecting the sensitive information of the class members. The suit alleges that the breach “was a direct result of defendant’s failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect patients’ and employees’ private information from the foreseeable threat of a cyberattack.”
The lawsuit also claims that MCG acted negligently when the company failed to detect the data breach for over two years. “That the data breach went undetected for over two years by a sophisticated provider of data management services and software solutions to the healthcare industry makes defendant’s security failure all the more egregious,” said the suit.
The Settlement
The proposed settlement was approved by a Washington federal court in May and is set for a final approval hearing on September 13th, which is expected to pass. It should result in class members collectively receiving $8.8 million after fees.
Under the settlement, class members can receive up to $1,500 in reimbursement for out-of-pocket expenses related to the data breach. In extraordinary circumstances, individuals can receive up to $10,000 in reimbursement for documented losses. Class members can also opt for a pro-rated cash payment from any leftover settlement money.
As part of the agreement, MCG maintained that they did not participate in any wrongdoing associated with the data breach.
Regulatory attorney Paul Hales of the Hales Law Group, although unaffiliated with the MCG case, said, “The MCG settlement explains the nature of health data breach class actions and their sudden, significant impact on the healthcare industry.”
“Class action lawyers stand ready to strike swiftly at reported health data breaches. Private lawyers now are perhaps the most fearsome enforces of health privacy laws,” he added.
How Cloudticity Can Help
Healthcare organizations, including EHR, medical software companies, and hospitals, handle vast amounts of sensitive and valuable data. These organizations are increasingly targeted by malicious actors eager to sell data online or demand a ransom. With lawsuits rising rapidly, organizations now have to worry about losing their financial status on top of their reputation.
With cyberattacks evolving and often occurring stealthily, healthcare organizations need to constantly monitor and defend against attacks, which requires a robust security system and a team of experts who know how to find and resolve cybersecurity vulnerabilities.
Cloudticity is a leader in managed security for healthcare, ensuring your organization remains protected and secure. As a HITRUST certified organization with over 10 years in cybersecurity, we’ve never suffered a data breach. We use a proven security tech stack with the best cybersecurity experts, ensuring your data is safe and any vulnerabilities are promptly addressed.
Unfortunately, the allegations against MCG became more egregious because the organization failed to notice the attack, but that can easily be prevented with our team of experts.
While attacks, and the associated costs, are rising, Cloudticity helps organizations focus their resources on serving patients instead of security concerns.
Learn how Cloudticity’s Managed Security for Healthcare can help you address cybersecurity needs. Reach out today for a free consultation.