Social Security numbers from 1.1 million patients leaked in 2020 Indiana University hospital breach

The sensitive information of 1.1 million patients served by Indiana University Health hospital was leaked in a data breach that took place in 2020, according to notification letters sent out by a vendor of the hospital. 

Filings with the Maine Attorney General’s office say the breach came from MCG Health and involved names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth and genders. 

MCG Health – based in Seattle – is part of Hearst Health and says it provides healthcare facilities with artificial intelligence, technology solutions and “objective clinical expertise” designed to improve “financial and clinical outcomes.”

The company began sending out thousands of breach notification letters on June 10 after it discovered it was hacked on March 25. 

In the letters sent to victims, MCG Health said it hired a “forensic investigation firm” to help with the response and is “coordinating with the FBI.” 

The letters to victims omit the fact that the investigation revealed the hack may have actually taken place “on or around February 25-26, 2020.”

“Because there is uncertainty regarding the date the breach occurred, however, MCG has populated the mandatory field above regarding the breach date with the date MCG discovered the breach,” the company said in its filings with the Maine Attorney General’s office. 

An Indiana University Health spokesperson directed all inquiries about the breach to MCG Health, which did not respond to requests for comment about the gap of time between when they discovered the breach and when they notified victims. 

MCG Health said it will be offering victims two years of free identity protection and credit monitoring services through Experian. 

The Herald-Times in Bloomington, Indiana reported that patients in at least nine different states were affected by the breach. 

At least one person with information involved in the breach, Cynthia Strecker, has filed a lawsuit against MCG Health over their handling of the incident. 

Jonathan Greig

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Recent Posts

Chinese cyber agency signals support for tech industry

CAC officials set a conciliatory tone towards tech Friday, but are still supervising rides-hailing giant’s…

2 hours ago

Apple releases emergency patch for two iPhone, Mac zero-day vulnerabilities being exploited

Apple said hackers are actively exploiting two zero-day vulnerabilities in iPhones, iPads and Macs. In…

2 hours ago

Google says it stopped the largest DDoS attack ever recorded in June

One of Google’s customers was targeted with the largest distributed denial of service (DDoS) attack…

3 hours ago

European Commission’s Despina Spanou on why cyber officials must ‘learn lessons from crises’

When it comes to privacy and cybersecurity regulations, the European Union often sets the standards…

4 hours ago

Cyber insurers weigh in on latest cybersecurity trends, threats

The numbers speak for themselves: more companies are opting in for cyber insurance coverage than…

1 day ago

TikTok asks House of Representatives to rescind cyber advisory about company

Short-form video giant TikTok refuted claims made by the Chief Administrative Officer (CAO) of the…

1 day ago