Summary: MCG Health has agreed to pay $8.8 million to settle a class action lawsuit stemming from a data breach that went undetected for two years, affecting approximately 1.1 million individuals. The lawsuit alleges negligence in protecting sensitive information and highlights the growing trend of litigation against healthcare vendors following data breaches.
Threat Actor: MCG Health | MCG Health
Victim: 1.1 million individuals | 1.1 million individuals
Key Point :
- MCG Health’s data breach occurred in February 2020 but was only reported to authorities in June 2022.
- The proposed settlement includes reimbursements for affected individuals and a commitment to enhance cybersecurity measures.
- This case exemplifies the increasing legal repercussions for healthcare vendors following data breaches.
Healthcare
,
Industry Specific
,
Legislation & Litigation
Litigation Alleges Vendor Took 2 Years to Discover Data Theft After Hack
Software vendor MCG Health has agreed to pay $8.8 million to settle a consolidated proposed federal class action lawsuit involving a 2020 hacking incident. The suit claims the company took two years to identify and report a data theft that affected about 1.1 million people.
See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance
The consolidated proposed class action lawsuit filed in 2022 and amended in 2023 alleges, among other claims, that Seattle-based MCG was negligent in failing to protect the sensitive information of plaintiffs and class members – and failing to detect the data breach for more than two years after a February 2020 hack.
MCG, which is part of the Hearst Health Network and a provider of patient guidelines and software to health plans and healthcare entities, denies all alleged claims and wrongdoing in the litigation (see: Lawsuits in Wake of MCG Health Data Breach Start Piling Up).
MCG reported the incident to the Maine attorney general’s office on June 6, 2022, as affecting 1.1 million individuals, but to the U.S. Department of Health and Human Services’ Office for Civil Rights later that month it listed the incident as a HIPAA breach that affected nearly 800,000 people.
Among those affected were patients of at least 10 MCG healthcare entity clients, including North Carolina-based UNC Lenoir Health, Missouri-based Phelps Health and Indiana-based IU Health.
Under the proposed settlement, which was approved by a Washington federal court in May and is set for a final approval hearing Sept. 13, class members can receive up to $1,500 in reimbursement for documented out-of-pocket expenses traceable to the MCG incident or up to $10,000 in reimbursement for documented extraordinary losses stemming from the incident.
As an alternative, class members can opt for a pro-rated cash payment from what – if anything – remains of the $8.8 million settlement fund after payments are made for the claims for ordinary and extraordinary losses, as well as services awards of up to $2,500 for each of the dozen representative plaintiffs and $2.93 million in attorney fees and expenses.
Each class member is also being offered three years of credit monitoring.
Under the proposed settlement, MCG agreed to implement and maintain “certain enhanced cybersecurity measures,” including advanced intrusion detection and prevention tools, enhanced detection and monitoring of unauthorized activity in its IT environment, and regular vulnerability scanning.
“The MCG settlement explains the nature of health data breach class actions and their sudden, significant impact on the healthcare industry,” said regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the MCG case.
“Class action lawyers stand ready to strike swiftly at reported heath data breaches. Private lawyers now are perhaps the most fearsome enforcers of health privacy laws,” he said.
Alleged Breach Details
In its June 2022 breach report to the Maine attorney general, MCG said the affected data “may have been acquired by an unauthorized party on or around Feb. 25-26, 2020” but “there is uncertainty regarding the date the breach occurred.”
The amended consolidated lawsuit said the delay in detection was unacceptable. “That the data breach went undetected for over two years by a sophisticated provider of data management services and software solutions to the healthcare industry makes defendant’s security failure all the more egregious,” the plaintiffs alleged.
The data breach “was a direct result of defendant’s failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect patients’ and employees’ private information from the foreseeable threat of a cyberattack,” the lawsuit alleges.
MCG did not immediately respond to Information Security Media Group’s request for comment on the hacking incident and proposed lawsuit settlement.
Other Litigation
The proposed settlement in the MCG data breach lawsuit adds to a growing list of major hacking incidents involving third-party vendors in the healthcare sector and related class action litigation filed in the aftermath.
On July 22, the National Community Pharmacists Association, along with dozens of healthcare providers from multiple states, filed in a Minnesota federal court a proposed class action lawsuit against UnitedHealth Group and its Change Healthcare and Optum subsidiaries for losses resulting from the massive February cyberattack in Change Healthcare.
The lawsuit alleges that Change Healthcare failed to take reasonable precautions against a “catastrophic” breach, misled clients about its network security and caused massive financial losses for healthcare providers who were never reimbursed for services and incurred huge expenses in workarounds during the vendor’s IT services outage.
Change Healthcare and UnitedHealth Group also face dozens of other proposed class action lawsuits filed by other plaintiffs, including individuals who allege their information was compromised in the incident (see: Change Healthcare Attack: Recovery Woes; Lawsuits Pile Up).
“Health data breach class actions multiply rapidly because it all comes down to money,” Hales said. “And the money is not measured by sums paid to persons harmed by wrongful disclosure of their sensitive personal information. It is measured by legal and reputational costs saved by defendants and legal fees earned by plaintiffs’ lawyers.”
Source: https://www.bankinfosecurity.com/software-maker-mcg-health-settles-data-breach-suit-for-88m-a-25851