Multiple Class Action Lawsuits Filed Against MCG Health Over Data Breach
Multiple class action lawsuits have been filed against the Seattle-based Hearst Health subsidiary, MCG Health, over a data breach that has affected at least 10 healthcare organizations including Indiana University Health, Lenoir Health Care, Phelps Health, and Jefferson County Health Center.
The data breach was reported to the HHS’ Office for Civil Rights on June 10 as affecting 793,283 individuals, but some affected healthcare organizations have self-reported the breach. The breach notification issued to the Maine Attorney General indicates the protected health information of up to 1.1 million patients was potentially obtained by an unauthorized third party in the attack.
MCG Health said it discovered on May 25, 2022, that files had been removed from its systems that included names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and genders. Notification letters were sent to affected individuals on June 10, 2022, and 2 years of complimentary credit monitoring and identity theft protection services have been offered to affected individuals.
So far at least five lawsuits have been filed against MCG Health in the District Court for the Western District of Washington over the data breach. The lawsuits make similar claims and allege negligence, invasion of privacy, bailment, breach of implied contract, breach of confidence, and a violation of the Washington Consumer Protection Act.
Strecker v. MCG Health, alleges the hackers had access to MCG Health systems for at least two weeks before the breach was detected; however, Booth v. MCG Health alleges the data breach occurred more than two years before it was detected by MCG Health, and that hackers gained access to MCG Health systems and exfiltrated data around February 25 to 26, 2020, and that the breach date of March 25, 2022, on the MCG Health notifications is when MCH Health discovered that sensitive files had been infiltrated. It then took more than 2 months for notifications to be issued to affected individuals.
The lawsuits allege the affected plaintiffs have suffered lost time, annoyance, interference, and inconvenience as a result of the data breach, and now that their protected health information is in the hands of criminals, they face a substantial present risk of identity theft and fraud, and that risk will continue to increase for years to come. Plaintiff Cynthia Strecker claims to have suffered anxiety and emotional distress due to the data breach and has increased concerns for the loss of her privacy. Similar claims are made in Thorbecke et al v. MCG Health, Saiki v. MCG Health, and Crawford et al v. MCG Health.
The lawsuits seek class action certification, compensatory and punitive damages, pre- and post-judgment interest, attorney’s fees and costs, and other relief, and call for MCG Health to make significant improvements to security, including encrypting all data, conducting regular penetration tests, employing data segmentation, improving logging and monitoring, appointing a third-party assessor to conduct annual SOC 2 Type 2 attestations for 10 years, and to cease storing personally identifiable patient information in cloud databases.