MCG Health Pays $8.8 Million to Resolve Class Action Data Breach Lawsuit 

by

The software company, MCG Health, based in Seattle, WA offered to pay $8.8 million to resolve a class action lawsuit associated with a data breach in February 2020 that affected the protected health information (PHI) of 793,283 individuals. Two years after the data breach, on March 25, 2022, MCG Health discovered that a threat actor acquired data from its system. The data of patients of 10 of its clients were compromised during the incident, which can be considered a potential HIPAA violation. The types of data affected include names, medical codes, Social Security numbers, postal addresses, email addresses, phone numbers, and birth dates.

The breach prompted the filing of several class action lawsuits. The lawsuits claim negligence, intrusion of privacy, bailment, breach of confidence, breach of implied contract, and the Washington Consumer Protection Act violation. In re: MCG Health Data Security Issue Litigation, the consolidation of the lawsuits into one action was filed in the U.S. District Court for the Western District of Washington.

MCG Health did not admit any wrongdoing but opted to resolve the lawsuit to avert more legal expenses and the uncertainty of trial. As per the conditions of the settlement, a $8.8 million fund will be set aside to pay for legal expenses, attorneys’ fees, and claims from people whose sensitive data were compromised during the incident. Class members may file claims of as much as $1,500 to pay for recorded data breach-related ordinary expenditures. Claims may be filed for around $10,000 to pay for extraordinary losses including identity theft and fraud. Each eligible claimant can potentially receive up to  $11,500.

Class members can opt to get a cash payment instead of filing claims for a refund of losses. They will be paid cash payments pro rata after deducting administrative fees, service awards ($2,500), lawyers’ fees ($2,930,000), and claims. If those expenses exceed the amount of settlement fund, claims will be paid first pro rata and cash payments will not be paid. Class members will also be provided 3 years of three-bureau credit monitoring services via Kroll.

The last day for filing an exclusion from and objection to the settlement is on August 29, 2024. Claims should be filed on or before September 30, 2024. The schedule of the final approval hearing is on September 13, 2024. The class legal representatives are Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman PLLC, Adam Polk of Girard Sharp LLP, and Jason T. Dennett of Tousley Brain Stephens PLLC.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]