A wholly-owned subsidiary of the New York-based Hearst Health network, MCG Health is facing a proposed class action seeking to hold it accountable for failing to properly secure patients’ personally identifiable information (PII) and for failing to inform the impacted individuals quicker than the almost 3 months it took.
MCG Health, a Seattle based software company, combines artificial intelligence with clinical expertise to help healthcare organizations provide care to their patients.
On June 10th, the company started to inform potentially impacted individuals of a data breach that occurred on March 25th, and which might have resulted in their personal information being accessed by a third-party.
“MCG determined on March 25, 2022 that an unauthorized party previously obtained certain of your personal information that matched data stored on MCG’s systems,” reads the notification letter – a sample of which was submitted to the Office of the Maine Attorney General.
Potentially impacted information, the company says, includes names, dates of birth, gender, addresses, Social Security numbers, email addresses, phone numbers, and medical codes.
“Upon learning of this issue, we took steps to understand its nature and scope. We have deployed additional monitoring tools and will continue to enhance the security of our systems,” MCG Health said.
The healthcare contractor informed the Maine Attorney General that 1.1 million individuals were impacted in the incident, but mentioned only roughly 790,000 patients in a breach notice to the U.S. Department of Health and Human Services – most likely, some of MCG Health’s customers are reporting the incident separately.
According to the complaint, “Defendant waited roughly three months to notify Plaintiff and Class Members of the Data Breach and/or inform them that their PII was compromised. During this time, Plaintiff and Class Members were unaware that their sensitive personal identifying information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm.”
The document also claims that the unauthorized access lasted for roughly two weeks, that the compromised data was stored unencrypted, and that MCG should have been better prepared to mitigate cyber attacks, given the frequency of incidents involving organizations in the healthcare sector.