Software Maker MCG Health Settles Data Breach Suit for $8.8M

In Data Breach News, Vendor News
July 27, 2024

GovInfoSecurity reports that software vendor MCG Health has agreed to pay $8.8 million to settle a consolidated proposed federal class action lawsuit involving a 2020 hacking incident.

The Seattle-based firm provides patient care guidelines to providers and health care plans. In a June 2022 announcement, they claimed that on March 25, 2022, they determined that an unauthorized party had previously obtained personal information about some patients and members of certain MCG customers. The data reportedly included some or all of the following: names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender.

When DataBreaches.net reported on their disclosure in June 2022, someone identifying themself as the threat actor involved in the incident posted a comment claiming that MCG Health had known about the incident earlier and some of the data had already been sold on a named marketplace. MCG did not respond to those claims, but a statement by UNC Lenoir Health provided some support for the claim that a threat actor had been contacting MCG or affected clients months before MCG claimed they determined there was a breach.

MCG reported the incident to the Maine Attorney General’s Office in June 2022 as affecting 1.1 million people at Copley Hospital, Indiana University Health Affiliated Covered Entity, and Newman Regional Health. The submission noted that MCG was unable to definitively determine when the data were first accessed but it may have been February 25-26, 2020.

The lawsuit alleges that MCG was negligent in not preventing, detecting, or timely disclosing the February 2020 hack.

Other affected entities whose numbers were not included in that submission to Maine included Avera Health, UNC Lenoir Health, Phelps Care Regional Center, Jefferson County Health Center, Henry County Medical Center,  Saint Mary’s Health Network,  Lafayette Surgical Specialty Hospital, and Catholic Health Initiative.

In the proposed settlement, MCG admits no wrongdoing. As GovInfoSec summarizes the provisions of the proposed settlement:

Under the proposed settlement, which was approved by a Washington federal court in May and is set for a final approval hearing Sept. 13, class members can receive up to $1,500 in reimbursement for documented out-of-pocket expenses traceable to the MCG incident or up to $10,000 in reimbursement for documented extraordinary losses stemming from the incident.

As an alternative, class members can opt for a pro-rated cash payment from what – if anything – remains of the $8.8 million settlement fund after payments are made for the claims for ordinary and extraordinary losses, as well as services awards of up to $2,500 for each of the dozen representative plaintiffs and $2.93 million in attorney fees and expenses.

Each class member is also being offered three years of credit monitoring.