Hearst Health subsidiary, MCG Health based in Seattle, is facing multiple class-action lawsuits due to a data breach that impacted approximately 10 healthcare companies such as Lenoir Health Care, Indiana University Health, Jefferson County Health Center, and Phelps Health.
The breach report was sent to the HHS’ Office for Civil Rights on June 10 indicating that 793,283 individuals were affected. But a few impacted healthcare organizations self-reported the data breach. The breach notification given to the Maine Attorney General shows that an unauthorized third party potentially obtained the protected health information (PHI) of around 1.1 million persons in the attack.
MCG Health stated it found out on May 25, 2022 that the files taken from its systems contained names, medical codes, postal addresses, telephone numbers, email addresses, genders, dates of birth, and Social Security numbers. The company sent notification letters to affected people on June 10, 2022, and offered them 2 years of complimentary credit monitoring and identity theft protection services.
To date, a minimum of five lawsuits were filed versus MCG Health in the District Court for the Western District of Washington because of the data breach. The lawsuits make identical claims and allege invasion of privacy, negligence, bailment, breach of confidence, breach of implied contract, and a violation of the Washington Consumer Protection Act.
Strecker v. MCG Health, claims the hackers got access to MCG Health systems for approximately two weeks before the detection of the breach; nevertheless, Booth v. MCG Health states the data breach happened more than two years prior to its discovery by MCG Health, and that the threat actors acquired access to MCG Health systems and downloaded data about February 25 to 26, 2020 and the breach dated March 25, 2022, on the MCG Health breach notice is the date when MCH Health learned about the infiltration of sensitive files. Issuance of breach notifications to impacted individuals took over two months.
The lawsuits claim the affected plaintiffs have endured lost time, discomfort, interference, and trouble due to the data breach. Also, now that their PHI is in the hands of cybercriminals, they face a considerable present risk of identity theft and fraud, and that threat will continue increasing for years ahead. Plaintiff Cynthia Strecker claims she suffered anxiety and emotional distress because of the data breach and has greater worries for the breach of her privacy. The same claims are made in Saiki v. MCG Health, Crawford et al v. MCG Health, and Thorbecke et al v. MCG Health.
The lawsuits seek class-action certification, pre- and post-judgment interest, compensatory and punitive damages, attorney’s fees and costs, and other relief, and necessitate MCG Health to make substantial developments to security, which include encrypting all information, performing regular penetration tests, using data segmentation, enhancing logging and monitoring, assigning a third-party assessor to carry out annual SOC 2 Type 2 attestations for 10 years, and to stop keeping personally identifiable patient information in cloud directories.