Recently, Phelps County Regional Medical Center (“Phelps Health”) announced a data breach related to a cybersecurity incident that occurred at MCG Health, LLC (“MCG”), a vendor used by Phelps Health. According to the notice provided by Phelps Health, the breach resulted in the names, Social Security numbers, medical codes, addresses, telephone numbers, email addresses, dates of birth and genders of affected patients being compromised. On June 17, 2022, Phelps Health filed an official notice of the breach and sent out data breach letters to 12,602 individuals who were affected by the breach.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Phelps Medical Center data breach, please see our recent piece on the topic here.
How Did the Phelps Medical Center / MCG Data Breach Happen?
According to an official notice filed by Phelps Health, on April 22, 2022, MCG contacted Phelps Health to inform the company of a data security incident affecting its computer systems. In response, MCG secured its systems and enlisted the help of cybersecurity professionals to investigate the incident. On March 25, 2022, MCG determined that personal information pertaining to certain Phelps Health patients was leaked in the MCG data breach.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Phelps Medical Center and MCG worked together to determine which parties were affected and what information was compromised. While the breached information varies depending on the individual, it may include your name, Social Security number, medical code, address, telephone number, email address, date of birth and gender.
On June 17, 2022, Phelps Medical Center sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Phelps County Regional Medical Center
Phelps County Regional Medical Center is a health system based in Rolla, MO. Phelps Health operates seven primary care facilities, six specialty care centers, one hospital and three emergency and immediate care facilities in Salem, St. James, Vienna and Waynesville, Missouri. In total, Phelps Health provides care for more than 200,000 residents in south-central Missouri. Phelps Medical Center employs more than 1,600 people and generates approximately $230 million in annual revenue.
Third-Party Data Breaches
The Phelps Health breach is what is referred to as a third-party data breach. A third-party data breach is one in which the company experiencing the breach was not the company that interacted with the consumer and accepted their information. Most often, as is the case in the Phelps Health data breach, these incidents involve cyberattacks at vendors the primary company relies on to perform certain services.
Following a data breach, especially one involving multiple companies, victims may wonder which organization is liable for the breach. As a preliminary matter, under state and federal data breach laws, all organizations have an obligation to protect consumer information in their possession regardless if they were the company that took a consumer’s information.
In the case of the Phelps Health / MCG data breach, there is no indication that Phelps Health’s data security systems were inadequate. However, depending on the outcome of the investigation, Phelps Health may have been negligent in entrusting consumer data to MCG. For example, this may be the case if Phelps Health had reason to believe that MCG’s data security systems were lacking or that the company had a history of mishandling consumer data.
Of course, because the breach occurred at MCG, it too may be liable for the breach, depending on the outcome of the investigation. The question in all data breach cases is whether the company took the necessary care to protect the consumer information in its possession.
Organizations must take their consumer privacy duties seriously, and those businesses that choose not to do so increase the likelihood of a breach. By bringing a data breach lawsuit, victims of a breach can pursue financial compensation for what they’ve been through. These cases also go a long way in encouraging companies to ensure they do everything possible to protect consumer data from cyber threats.