MCG Health Settles Class Action Data Breach Lawsuit for $8.8 Million
The Seattle, WA-based software company, MCG Health, has proposed a $8.8 million settlement to resolve a consolidated class action lawsuit stemming from a February 2020 data breach that involved the protected health information of 793,283 individuals. It took MCG Health two years to discover that a threat actor had obtained data from its network, with that determination made on March 25, 2022. Patients of at least 10 of its clients had information compromised in the incident including names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, and dates of birth.
Several class action lawsuits were filed in response to the breach that made similar claims and alleged negligence, invasion of privacy, bailment, breach of implied contract, breach of confidence, and a violation of the Washington Consumer Protection Act. The lawsuits were consolidated into a single action in the U.S. District Court for the Western District of Washington – In re: MCG Health Data Security Issue Litigation.
MCG Health has not admitted any wrongdoing and chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, $8.8 million will be made available to cover legal costs, attorneys’ fees, and claims from individuals who had their sensitive data compromised in the incident. Class members may submit claims of up to $1,500 to cover documented data breach-related ordinary expenses, and claims may be submitted for up to $10,000 to cover extraordinary losses such as identity theft and fraud, making the total potential award $11,500 per claimant.
Class members can choose to receive a cash payment in lieu of submitting claims for reimbursement of losses. The cash payments will be paid pro rata after administrative costs, attorneys’ fees ($2,930,000), service awards ($2,500), and claims have been paid. Should those costs exceed the total settlement value, claims will be paid pro rata and cash payments will not be paid. The settlement also includes three years of three-bureau credit monitoring services through Kroll.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The deadline for exclusion from and objection to the settlement is August 29, 2024, claims must be submitted no later than September 30, 2024, and the final approval hearing has been scheduled for September 13, 2024. The class was represented by Jason T. Dennett of Tousley Brain Stephens PLLC, Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman PLLC, and Adam Polk of Girard Sharp LLP.
