Cyber Incident Victim: MCG Health
Date:
Feb 2020
Location:
United States of America
Summary
MCG Health experienced a data breach involving unauthorized access to sensitive patient information across multiple healthcare provider clients. The incident impacted over 1.1 million individuals, with compromised data including names, Social Security numbers, medical codes, addresses, phone numbers, email addresses, dates of birth, and gender. An unknown third party demanded payment for stolen records, leading to an FBI investigation and confirmation that some patient data appeared on the dark web. The breach discovery timeline conflicted with external claims, as initial unauthorized access may have preceded official detection. The organization enhanced security measures and notified affected entities, though the full scope of data exposure remained unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The MCG Health data breach involved unauthorized access to sensitive patient information managed by MCG Health, a provider of clinical decision support tools for healthcare organizations. The incident was initially detected by MCG in March 2022, though forensic evidence suggested data may have been acquired by an unauthorized party as early as February 25-26, 2020. This discrepancy in timelines became a point of contention, as third-party claims emerged that MCG had been alerted to potential compromises in December 2021 and January 2022, when an unknown actor demanded payment in exchange for returning allegedly stolen patient data. MCG engaged forensic investigators and notified the FBI upon discovering the breach, though they did not publicly address these earlier extortion attempts when questioned by media outlets.
The breach impacted multiple healthcare clients that utilized MCG's services, with notifications unfolding throughout June and July 2022. On June 10, MCG reported the incident to HHS as affecting 793,283 individuals, while simultaneously informing Maine's Attorney General that three specific clients—Copley Hospital, Indiana University Health Affiliated Covered Entity, and Newman Regional Health—collectively had 1.1 million patients exposed. Additional affected entities included Avera Health (700 patients), UNC Lenoir Health Care (4,700 patients), Phelps Health, Jefferson County Health Center, Henry County Medical Center, Saint Mary’s Health Network, and Lafayette Surgical Specialty Hospital, with Catholic Health Initiatives' impact remaining unquantified. Compromised data elements included patient names, Social Security numbers, medical codes, addresses, phone numbers, email addresses, dates of birth, and gender information. Forensic analysis confirmed that records for ten patients from an unspecified entity appeared for sale on the dark web, though no UNC Lenoir records were identified in those listings. MCG implemented enhanced monitoring tools and security measures while continuing to cooperate with the FBI's ongoing investigation. Affiliated healthcare providers issued substitute notices to patients beginning in June 2022, with MCG filing breach notifications on behalf of requesting clients.