MGA HIPAA Breach Triggers Multiple Lawsuits

Multiple lawsuits will take place in the U.S. District Court of Western Washington regarding a significant breach of PHI. At least 4 class-action lawsuits have been filed against MCG Health, a clinical guidelines vendor who integrates artificial intelligence with clinical expertise to assist healthcare organizations to provide treatment to their patients. As a component of Hearst Health Network, MCG Health provides clinical guidelines to nearly 2,600 hospitals and the majority of health plans within the U.S. 

On June 6, MCG Health issued a report of the breach to the Maine Attorney General’s office. The clinical guidelines vendor reported that the breach had affected potentially 1.1 million individuals. Subsequently, MCG Health filed a breach report to the HHS’ Office for Civil Rights maintaining that the breach had affected 800,000 patients. It is believed that the difference is a result of customers reporting the incident independently. Multiple healthcare provider clients of MCG Health have come forward. Entities with affected individuals include Indiana University Health, Phelps Health, UNC Lenoir Health, and Jefferson County Health Center. 

MCG Health claims to have detected the breach on May 25, 2022. An unauthorized third party acquired files from the company’s system. The information consisted of individually identifiable information including names, date of births, Social Security numbers, medical codes, addresses, telephone numbers and genders. Hackers will use stolen information to commit a variety of crimes including theft and fraud. 

The plaintiffs make similar claims that the breach occurred as a result of the company’s negligence to protect their client’s confidential information. In addition to invasion of privacy, breach of implied contract, breach of confidence, bailment, and finally, a violation of the Washington Consumer Protection Act. The accusers allege that the breach had occurred 2 years before MCG Health claim. Indicating that the incident took place in February 2020. Another lawsuit claims the hackers had accessed the files within the company’s systems for at least 2 weeks before the breach was discovered.

As a result of the breach, several plaintiffs are at risk of identity theft and fraud. The affected plaintiffs claim to have suffered interference, loss of time, and inconvenience as a consequence. For this reason, the plaintiff seeks compensatory and punitive damages, attorney’s costs and other relief. The lawsuits call for MCG Health to significantly improve their data security. 3 of the lawsuits request a court order for MCG Health to implement more robust data protection procedures such as encryption and extensive information security programs. These include encrypting all data, conducting routine penetration tests, and ceasing to store personal information in cloud databases.