camilo-jimenez-vGu08RYjO-s-unsplash (1)

Social Security numbers from 1.1 million patients leaked in 2020 Indiana University hospital breach

The sensitive information of 1.1 million patients served by Indiana University Health hospital was leaked in a data breach that took place in 2020, according to notification letters sent out by a vendor of the hospital. 

Filings with the Maine Attorney General’s office say the breach came from MCG Health and involved names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth and genders. 

MCG Health – based in Seattle – is part of Hearst Health and says it provides healthcare facilities with artificial intelligence, technology solutions and “objective clinical expertise” designed to improve “financial and clinical outcomes.”

The company began sending out thousands of breach notification letters on June 10 after it discovered it was hacked on March 25. 

In the letters sent to victims, MCG Health said it hired a “forensic investigation firm” to help with the response and is “coordinating with the FBI.” 

The letters to victims omit the fact that the investigation revealed the hack may have actually taken place “on or around February 25-26, 2020.”

“Because there is uncertainty regarding the date the breach occurred, however, MCG has populated the mandatory field above regarding the breach date with the date MCG discovered the breach,” the company said in its filings with the Maine Attorney General’s office. 

An Indiana University Health spokesperson directed all inquiries about the breach to MCG Health, which did not respond to requests for comment about the gap of time between when they discovered the breach and when they notified victims. 

MCG Health said it will be offering victims two years of free identity protection and credit monitoring services through Experian. 

The Herald-Times in Bloomington, Indiana reported that patients in at least nine different states were affected by the breach. 

At least one person with information involved in the breach, Cynthia Strecker, has filed a lawsuit against MCG Health over their handling of the incident. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.