Patient care guidelines provider MCG Health faces a proposed class lawsuit over the compromise of patient information during a March 2022 data breach.
A wholly-owned subsidiary of the New York-based Hearst Health network, MCG Health combines artificial intelligence with clinical expertise to help healthcare organizations provide care to their patients.
On June 10, the company started to inform potentially impacted individuals of a data breach that occurred on March 25, and which might have resulted in their personal information being accessed by a third-party.
“MCG determined on March 25, 2022 that an unauthorized party previously obtained certain of your personal information that matched data stored on MCG’s systems,” reads the notification letter – a sample of which was submitted to the Office of the Maine Attorney General.
Potentially impacted information, the company says, includes names, dates of birth, gender, addresses, Social Security numbers, email addresses, phone numbers, and medical codes.
“Upon learning of this issue, we took steps to understand its nature and scope. We have deployed additional monitoring tools and will continue to enhance the security of our systems,” MCG Health said.
The healthcare contractor informed the Maine Attorney General that 1.1 million individuals were impacted in the incident, but mentioned only roughly 790,000 patients in a breach notice to the U.S. Department of Health and Human Services – most likely, some of MCG Health’s customers are reporting the incident separately.
A proposed class action filed with the District Court for the Western District of Washington seeks to hold MCG accountable for failing to properly secure patients’ personally identifiable information (PII) and for failing to inform the impacted individuals faster.
“Defendant waited roughly three months to notify Plaintiff and Class Members of the Data Breach and/or inform them that their PII was compromised. During this time, Plaintiff and Class Members were unaware that their sensitive personal identifying information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the 37-page complaint alleges.
The document also claims that the unauthorized access lasted for roughly two weeks, that the compromised data was stored unencrypted, and that MCG should have been better prepared to mitigate cyberattacks, given the frequency of incidents involving organizations in the healthcare sector.
Related: Breach at Eye Care Software Vendor Hits Millions of Patients
Related: SuperCare Health Data Breach Impacts Over 300,000 People
Related: Over 500,000 Patients Hit by Data Breaches at Healthcare Firms in Alabama, Colorado
