Data Breach Notifications

Entity Information

  • Type of Organization: Healthcare
  • Entity Name: MCG Health, LLC
  • Street Address: 701 5th Avenue, Suite 4900
  • City: Seattle
  • State, or Country if outside the US: Washington
  • Zip Code: 98104

Submitted By

  • Name: Lisa Sotto
  • Title: Partner
  • Firm name (if different than entity): Hunton Andrews Kurth LLP
  • Telephone Number: 212-309-1223
  • Email Address: lsotto@hunton.com
  • Relationship to entity whose information was compromised: Outside Legal Counsel

Breach Information

  • Total number of persons affected (including residents): 1100000
  • Total number of Maine residents affected: 17
  • If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified:
  • Date(s) Breach Occured: 03/25/2022
  • Date Breach Discovered: 03/25/2022
  • Description of the Breach:
    • Other
    • If other, please specify: MCG Health, LLC (“MCG”) is a HIPAA business associate that provides patient care guidelines to health care providers and health plans. MCG determined on March 25, 2022 that an unauthorized party previously obtained certain personal information of its customers’ patients and members that matched data stored on MCG’s systems. The affected patient or member data included some or all of the following data elements: names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth and gender. Upon learning of the issue, MCG took steps to understand its nature and scope and to secure the company’s systems. A leading forensic investigation firm was retained to assist in the investigation, and MCG is coordinating with the FBI. Additionally, MCG has deployed additional monitoring tools and continues to enhance the security of its systems. Based on a third-party analysis of the data, there is evidence to suggest the data may have been acquired by an unauthorized party on or around February 25-26, 2020. Because there is uncertainty regarding the date the breach occurred, however, MCG has populated the mandatory field above regarding the breach date with the date MCG discovered the breach. MCG is providing notice of this incident on behalf of the customers identified in Exhibit A at their request. MCG is notifying approximately 17 affected Maine residents on behalf of these customers. MCG has arranged to offer these individuals identity protection and credit monitoring services through Experian for two years at no cost to them.
  • Information Acquired - Name or other personal identifier in combination with: Social Security Number

Notification and Protection Services

  • Type of Notification: Written
  • Date(s) of consumer notification: 06/10/2022
  • Copy of notice to affected Maine residents: MCG - Template Notification Letter.pdfMaine EXHIBIT A - Customer List.pdf
  • Date of any previous (within 12 months) breach notifications:
  • Were identity theft protection services offered: Yes
  • If yes, please provide the duration, the provider of the service and a brief description of the service: Experian IdentityWorks services include credit monitoring and identity restoration services. MCG has arranged to offer these individuals identity protection and credit monitoring services through Experian for two years at no cost to them.