WA: MCG Health notifies patients and health plan members of data breach (updated)
Seattle-based MCG Health, LLC (“MCG”) provides patient care guidelines to providers and health care plans. According to a notice on their website that was also issued as a press release yesterday, on March 25, 2022, they determined that an unauthorized party had previously obtained personal information about some patients and members of certain MCG customers.
The affected patient or member data reportedly included some or all of the following data elements: names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender.
Their statement omits significant details, and DataBreaches has sent an inquiry to them asking them when and how the bad actor first gained access to their system, how many people, total, had their data accessed and how many people, total, had their data exfiltrated. DataBreaches also inquired as to whether HHS has been notified, and whether there was any ransom or extortion demand.
Although their statement does not mention any data being leaked or sold on the dark web, it may be that they first “determined” the breach in March because data was listed for sale at that time. Hopefully, they will forthrightly confirm or deny that, and will explain whether they will be offering any credit monitoring or identity theft restoration services to those affected. Their press release makes no mention of any such offer.
No response to our inquiries was immediately available, but this post will be updated as more information becomes available.
Update of June 13. DataBreaches sent an updated inquiry to MCG Health, also asking them to reply to the claims made by Twister Canyon in the Comments under the post. Of note, the commenter claims to have contacted MCG Health back in October or November about the breach, and also claims that most of the data has already been sold.
Also: Avera Health issued a notice that approximately 700 of their patients were impacted by the breach. Expect many more such notices.
Update June 14: Catholic Health Initiative has also issued a statement about their patients being impacted. As WOWT reports, MCG Health has not been responding to requests for interviews. Nor have they yet responded to this site’s requests for a response to claims made by a threat actor that they have known about this breach since last October or November and that most of the data has already been sold.
Because this seems to be a breach that may have numerous updates or follow-ups, DataBreaches is creating a separate post for updates.