Lawsuits in Wake of MCG Health Data Breach Start Piling UpFour Proposed Federal Class Action Lawsuit Filed So Far This Week
Data breach attorneys are flooding courts with proposed federal class action lawsuits against MCG Health after the company disclosed a data breach affecting up to 1.1 million individuals.
As of Friday, at least four lawsuits with similar allegations stemming from a just-revealed 2020 breach have been filed against the clinical guidelines vendor. The venue of all four is the U.S. District Court in Western Washington, where the company is located.
MCG Health is part of the Hearst Health Network. The company says a majority of U.S. health plans and nearly 2,600 hospitals use its services, including its clinical evidence-based guidelines.
Although they are still in the early days and possibly years away from a judge's determination about class certification - assuming they make it that far - the lawsuits underscore how data breaches can trigger liability for companies across the healthcare industry. Large business associates process the protected health information of millions of patients and thousands of covered entity clients, making them targets for hackers and for post-breach lawsuits alike.
Several MCG Health healthcare provider clients have already issued their own breach statements related to the incident. Each contains the same description of the incident as it appears in a June 10 breach notification statement posted on MCG's website.
MCG reported the incident to the Maine attorney general's office on June 6 as affecting 1.1 million individuals, a considerable difference from the 800,000 people it later said were affected in a HIPAA breach report filed with the Department of Health and Human Services' Office for Civil Rights.
The putative class action lawsuits make similar allegations including negligence, invasion of privacy, and violations of Washington state's consumer protection law.
Each of the lawsuits seek damages. Three of the lawsuits - which are being handled by the same law firm - also request court orders for MCG to improve its data protection practices, including through encryption and the implementation of comprehensive information security programs.
The plaintiffs contend that the MCG breach was the result of the company's failure to secure highly sensitive personal information of patients.
The complaints allege that in the final days of February 2020, hackers accessed MCG's computer systems and exfiltrated patient files without the company detecting the breach until more than two years later, in March 2022.
The company waited another couple of months, until June 10, to notify affected individuals, the lawsuits allege.
MCG's breach report to the Maine attorney general's office indicates the company is arranging for two years of complimentary identity and credit monitoring services to be offered to affected individuals.
Post-breach investigations often reveal fundamental problems with healthcare businesses' security stance, says regulatory attorney Paul Hales of Hales Law Group, who is not involved in the MCG lawsuits.
"Common problems are failure to implement basic safeguards beginning with enterprisewide risk analysis and risk management, the foundation of HIPAA security management," he tells Information Security Management Group.
Business associates have been directly liable for HIPAA compliance for more than a decade, he adds. "Large breaches invite close scrutiny of their HIPAA compliance. Business associates, particularly large organizations with ample resources, have no excuse for failing to comply with HIPAA."
Covered entities have a responsibility of due diligence before entrusting PHI to business associates, he says.
Demands to Enhance Security
At least three of the lawsuits so far request a court order for the company to implement a long list of actions mean to prevent similar data security incidents from happening again.
Those demanded MCG security improvements include:
- Encrypting all data;
- Prohibiting the company from maintaining the personally identifiable information of plaintiffs and class members on a cloud-based database;
- Conducting periodic simulated attacks, penetration tests, and audits on MCG's systems, and quickly correcting any problems identified;
- Running automated security monitoring;
- Auditing, testing and training MCG's security personnel regarding any new or modified procedures - and also training all other employees annually on information security;
- Requiring data segmentation;
- Implementing logging and monitoring programs to track server and network traffic;
- For a 10-year period, appointing a third-party assessor to conduct annual SOC 2 Type 2 attestations.
Attorneys representing the plaintiffs in these cases did not immediately respond to Information Security Media Group's requests for comment.
MCG Health also did not immediately respond to ISMG's request for comment on the litigation and for additional details about the data breach.