MCG Health Deals with Multiple Class Action Lawsuits Because of Data Breach

Hearst Health subsidiary, MCG Health located in Seattle, is confronting multiple class-action lawsuits because of a data breach that affected roughly 10 healthcare institutions, for example, Lenoir Health Care, Jefferson County Health, Indiana University Health, and Phelps Health.

The breach report was submitted to the HHS’ Office for Civil Rights on June 10 stating that 793,283 persons were impacted. However, several affected healthcare companies self-reported the breach. The breach notice sent to the Maine Attorney General reveals that an unauthorized third party likely acquired the protected health information (PHI) of approximately 1.1 million individuals during the attack.

MCG Health mentioned it found out on May 25, 2022 that the files extracted from its systems included names, medical codes, PO boxes, phone numbers, email addresses, sexes, birth dates, and Social Security numbers. The company mailed notification letters to impacted persons on June 10, 2022, and provided them with 2 years of free credit monitoring and identity theft protection services.

Currently, no less than five lawsuits were submitted against MCG Health in the District Court for the Western District of Washington due to the data breach. The filed cases have the same claims and assert invasion of privacy, negligence, breach of confidence, bailment, breach of implied contract, and a violation of the Washington Consumer Protection Act.

Strecker v. MCG Health, claims the hackers acquired access to MCG Health systems about two weeks before the detection of the breach; nonetheless, Booth v. MCG Health states the data breach took place more than two years prior to its discovery by MCG Health, and that attackers obtained access to MCG Health systems and extracted information approximately February 25 to 26, 2020 and the breach dated March 25, 2022, on the MCG Health breach notification is the time when MCH Health learned about the infiltration of sensitive files. Issuance of breach notifications to affected persons took over two months.

The lawsuits assert the impacted plaintiffs have sustained lost time, hassle, disturbance, and difficulty because of the data breach. Additionally, now that their PHI is in the possession of scammers, they face a significant present threat of identity theft and fraud, and that danger will keep growing for years in the future. Plaintiff Cynthia Strecker claims she experienced anxiety and emotional stress as a result of the data breach and has more fears for the breach of her privacy. Identical claims are presented in Crawford et al v. MCG Health, Saiki v. MCG Health, and Thorbecke et al v. MCG Health.

The lawsuits want class action certification, pre- and post-judgment interest, punitive and compensatory damages, attorney’s fees and costs, and other relief, and require MCG Health to make considerable enhancements to security, such as encrypting all files, doing frequent penetration tests, utilizing data segmentation, bettering recording and tracking, designating a third-party assessor to perform yearly SOC 2 Type 2 attestations for ten years and to quit retaining personally identifiable patient information in the cloud repository.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at