Washington Medical Firm Sued for Alleged Breach Exposing 1.1 Million Patients' Health Data


A Seattle-based medical data company faces multiple lawsuits over a data breach that may have given cybercriminals access to the personal information of more than 1.1 million people.

MCG Health, which uses data to help health care providers and insurers make patient care decisions, is named in at least eight recent lawsuits claiming Social Security numbers, medical codes and other data were exposed in a breach that may have happened two years ago.

In early June, MCG Health began notifying patients and customers that "an unauthorized party previously obtained certain personal information about affected individuals that matched data stored on MCG's systems."

A notice posted by the U.S. Department of Health and Human Services on the MCG Health breach indicated that 793,283 people were affected. However, the Maine Attorney General's office put the number at 1.1 million, which various media accounts say is because some health care companies had independently reported being affected.

None of the individuals who brought the lawsuits, which were filed between June 16-July 7 through U.S. District Court in Seattle, are from Washington state.

Ten health care companies, all out of state, reported being affected by the breach as of June 15, according to HIPAA Journal.

MCG confirmed the theft on March 25, according to the company's notice. But the Maine attorney general reported that evidence from a third-party analysis of the data suggested the actual theft may have occurred in late February 2020.

MCG did not respond to request for comment about the litigation or the alleged breach, but provided a phone number (800-475-7221) and a link to resources for those seeking information about the breach. The company is offering affected individuals a free credit report.

MCG's "clinical decision support tools" are licensed by "a majority of U.S. health plans, nearly 2,600 hospitals, and multiple government agencies," according to its website. The company was founded in 1988 and is owned by Hearst Health.

Thieves typically use stolen medical data to commit financial fraud, not medically related crime, said James Lee, chief operating officer at the Identity Theft Resource Center, a California-based nonprofit that helps identity theft victims.

While stolen medical data is sometimes used to impersonate patients, Lee said, the more common use is to update previously obtained data to make it easier to fraudulently open bank accounts or gain access to financial resources.

"As data breaches go, it's unfortunately fairly typical and the potential for misuse is pretty high," Lee said of the MCG incident.

The lawsuits, which also seek to represent the entire "class" of potential victims, accuse MCG Health of negligence and violation of the Washington's Consumer Protection Act, among other complaints. The company is also accused of delaying notification of victims.

In one suit, a Louisiana woman claims MCG waited three months before notifying her, leaving her "at significant risk of identity theft."  Another suit alleges MCG Health knew about breach in December 2021 after being contacted by an unknown third-party claiming to have obtained data from MCG that offered to sell it back to the company.

Often, thieves who steal data don't put it to use for months.

Data breaches of this kind have become common. In 2022 alone, the Washington Attorney General's Office reported more than 75 incidents affecting well over 1 million Washington residents.

The MCG breach isn't mentioned directly on the Washington state Attorney General's data breach notification webpage, although the site does refer to several recent medical data breaches affecting Washingtonians.