Add Phelps Care Regional Medical Center (“Phelps Health“) to any list of updates to MCG Health clients impacted by the MCG breach. Phelps’ notification indicates that it was alerted to the breach by MCG on April 22. Update: Phelps reported that 12,602 patients were impacted.
As reported previously by DataBreaches, MCG Health uses March 25, 2022 as the date they ‘discovered’ the breach, but has acknowledged that there is some indication that the breach may have begun more than a year earlier. And as noted on DataBreaches, a threat actor claims that their CEO allegedly knew last October/November when they were contacted about paying a ransom to secure return of the data. That threat actor has not contacted DataBreaches again and DataBreaches has not been able to reach them to ask for proof of some of their allegations.
Phelps’ notification does not indicate how many of their patients they are notifying, and their report has not yet appeared on HHS’s public breach tool.
But while information about this incident continues to emerge in dribs and drabs, the lawsuits have apparently already started. In Saiki v. MCG Health, LLC, plaintiff Diana Saiki is suing MCG in U.S. District Court for the Western District of Washington. The case number is 2:2022cv00849.
Update June 21: Another potential class action has been filed. The lead plaintiff in that case is Cynthia Strecker. Also filed in the Western District of Washington, the case number is No. 2:22-cv-00862.
And yet another: Thorbecke et al v. MCG Health, LLC, case 2:22-cv-00870.
June 23: And another: Booth et al v. MCG Health LLC, case 2:22-cv-00879.