The defendant in this case, MCG Health, LLC, stores patient data from some 1.1 million hospital patients around the US. The complaint for this class action alleges that MCG did not take adequate steps to protect this information, and, when a data breach resulted in December 2021, misrepresented how the incident had happened and did not announce the problem until months later.
The class for this action is all individuals living in the US whose personally identifiable information (PII) and protected health information (PHI) were compromised in the data breach announced by MCG in March 2022.
The complaint alleges that “cybercriminals could bypass and breach MCG’s security systems because MCG does not adhere to industry-standard cybersecurity policies, state and federal law, or its own data security policies…” MCG failed in its duties to protect the information it maintained, the complaint says, even though it said that businesses must be “more diligent than ever” in protecting data.
The complaint also accuses MCG of not being forthright about when and how the breach happened. The Notice the company put out claims that MCG became aware of the data breach in March 2022, but the complaint alleges that its hospital customers have said that MCG actually learned about it in December 2021.
The complaint quotes from a UNC Lenoir Health Care data breach notice: “In December of 2021 and again in January of 2022, MCG was contacted by an unknown third[ ]party who claimed to have improperly obtained patient data from MCG. This third[ ]party made a demand for money in exchange for the return of the patient data to MCG. MCG opened an investigation and contacted the FBI…”
But the complaint quotes MCG’s Notice as presenting the matter differently: MCG determined on March 25, 2022 that an unauthorized party previously obtained certain personal information about affected individuals that matched data stored on MCG’s systems.” The complaint also quotes the Notice as saying, “MCG has deployed additional monitoring tools and will continue to enhance the security of its systems.”
According to the complaint, the Notice did not say when the information had been “previously obtained,” how MCG’s systems had been accessed, or whether the cybercriminals asked for ransom money. The complaint also claims that the additional monitoring tools and enhancements should have been in place before the data breach could take place.
The data exposed, the complaint says, included some or all of a number of elements, such as names, Social Security numbers, dates of birth, and medical codes.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
MCG Health Data Breach and Late Notice Complaint
June 24, 2022
The defendant in this case, MCG Health, LLC, stores patient data from some 1.1 million hospital patients around the US. The complaint for this class action alleges that MCG did not take adequate steps to protect this information, and, when a data breach resulted in December 2021, misrepresented how the incident had happened and did not announce the problem until months later.
MCG Health Data Breach and Late Notice ComplaintCase Event History
MCG Health Data Breach and Late Notice Complaint
June 24, 2022
The defendant in this case, MCG Health, LLC, stores patient data from some 1.1 million hospital patients around the US. The complaint for this class action alleges that MCG did not take adequate steps to protect this information, and, when a data breach resulted in December 2021, misrepresented how the incident had happened and did not announce the problem until months later.
MCG Health Data Breach and Late Notice Complaint