Seattle-based MCG Health, LLC (“MCG”) provides patient care guidelines to providers and health care plans. According to a notice on their website that was also issued as a press release yesterday, on March 25, 2022, they determined that an unauthorized party had previously obtained personal information about some patients and members of certain MCG customers.
The affected patient or member data reportedly included some or all of the following data elements: names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender.
Their full statement can be found on their site (pdf) or on businesswire.com.
Their statement omits significant details, and DataBreaches has sent an inquiry to them asking them when and how the bad actor first gained access to their system, how many people, total, had their data accessed and how many people, total, had their data exfiltrated. DataBreaches also inquired as to whether HHS has been notified, and whether there was any ransom or extortion demand.
Although their statement does not mention any data being leaked or sold on the dark web, it may be that they first “determined” the breach in March because data was listed for sale at that time. Hopefully, they will forthrightly confirm or deny that, and will explain whether they will be offering any credit monitoring or identity theft restoration services to those affected. Their press release makes no mention of any such offer.
No response to our inquiries was immediately available, but this post will be updated as more information becomes available.
Update of June 13. DataBreaches sent an updated inquiry to MCG Health, also asking them to reply to the claims made by Twister Canyon in the Comments under the post. Of note, the commenter claims to have contacted MCG Health back in October or November about the breach, and also claims that most of the data has already been sold.
Also: Avera Health issued a notice that approximately 700 of their patients were impacted by the breach. Expect many more such notices.
Update June 14: Catholic Health Initiative has also issued a statement about their patients being impacted. As WOWT reports, MCG Health has not been responding to requests for interviews. Nor have they yet responded to this site’s requests for a response to claims made by a threat actor that they have known about this breach since last October or November and that most of the data has already been sold.
Because this seems to be a breach that may have numerous updates or follow-ups, DataBreaches is creating a separate post for updates.
Some clarification on this article:
* MCG Health was notified in October/November of 2021 when their CEO was contacted about the return of the data
* Approximately 156 million records have been taken that were considere saleable. More (almost 50 million more) were seen to not have enough data to be sold, but still exist as data taken
* Much of this has been resold either by medical code (dementia) age or other characteristics. This was done on the dark web, coordinated on the Versus market (twistercanyon vendor) but most sold off market in bulk
* Remaining may be resold now that this long overdue notice has finally gone out. Versus is down so it’s unclear what site this will pop up on next.
Please check your email for mail from [email protected].