Updates to the MCG Health Breach Incident
For initial coverage, read this post.
A threat actor, “Twister Canyon,” claims that MCG Health has made false claims about the incident. Their claims can be found in the Comments section under the original post. MCG Health was asked to respond to their claims but have not replied as of this June 14 posting.
June 14 update: the following entities have reported being affected by the MCG Health incident:
June 15 update: the Maine Attorney General’s Office posted MCG’s notification to them which reported that 1.1 million people were affected by the MCG Health clients listed in Exhibit A (total). The notice to Maine also disclosed that “Based on a third-party analysis of the data, there is evidence to suggest the data may have been acquired by an unauthorized party on or around February 25-26, 2020. Because there is uncertainty regarding the date the breach occurred, however, MCG has populated the mandatory field above regarding the breach date with the date MCG discovered the breach. MCG is providing notice of this incident on behalf of the customers identified in Exhibit A at their request.” Those entities are:
- Copley Hospital
- Indiana University Health Affiliated Covered Entity
- Newman Regional Health
June 20 update:
- Phelps Care Regional Medical Center d/b/a Phelps Health
- Jefferson County Health Center
- UNC Lenoir Health Care – 4700
June 22 update:
MCG Health has not responded to DataBreaches’ request that it respond to claims by “Twister Canyon” that it first knew about the breach last year and not in March 2022, as MCG’s disclosure had claimed. But now UNC Lenoir Health Care’s disclosure notice provides what appears to be some support for Twister Canyon’s claims, although Lenoir does not indicate how/where they got their information. In their disclosure they write:
In December of 2021 and again in January of 2022, MCG was contacted by an unknown third-party who claimed to have improperly obtained patient data from MCG. This third-party made a demand for money in exchange for the return of the patient data to MCG. MCG opened an investigation and contacted the FBI. MCG made Lenoir aware of this incident on April 24, 2022. MCG’s forensic investigators confirmed that records for ten (10) patients were listed by this third party for sale on the dark web. These records are believed to have come from MCG. Lenoir patient records were not found on the dark web, but MCG has determined that the unauthorized third-party may be in possession of Lenoir information which could include: patient name, Social Security number, medical codes, street address, telephone number, email address, date of birth and gender.
The unauthorized third-party who may be in possession of Lenoir patient data has not been identified as of the date of this letter but the FBI investigation is ongoing. MCG has been unable to identify how this unauthorized third-party acquired Lenoir patient information but has deployed additional monitoring tools and will continue to enhance the security of its systems.
Update June 23: MCG Health reported this incident to HHS on June 10 as impacting 793,283 patients. It is not clear for how many CEs they are filing but on the same day, they notified Maine that they were reporting for 1.1 million patients of three of their clients (see earlier update).
Update June 27: Saint Mary’s Health Network reported that they, too were notified.
Update July 14: Lafayette Surgical Specialty Hospital reported that they, too, were affected.