MCBS Data Breach Compromises PII and PHI Data

MCBS LLC, a medical billing and business services company headquartered in Augusta, Georgia, disclosed a data breach involving unauthorized access to its computer network.

Founded in 1981, MCBS provides billing, coding, practice management and administrative support services to healthcare providers, primarily small and medium-sized practices.

The breach was reported to the California Attorney General on June 26, 2026. MCBS has also posted a notice about the incident on its website.

On or about Sept. 25, 2025, MCBS learned that an unauthorized individual may have gained access to its network. The company stated that it commenced an investigation with the help of external cybersecurity professionals experienced in handling these types of incidents.

After an extensive forensic investigation and comprehensive document review, MCBS discovered on or about May 28, 2026, that certain files containing personal information may have been subject to unauthorized acquisition. The period of unauthorized access lasted approximately four days, occurring between Sept. 22, 2025, and Sept. 26, 2025.

Because MCBS operates as a third-party billing and services provider for healthcare practices, the affected individuals are patients of the healthcare providers that contracted with MCBS for medical billing services. The company is sending notification letters on behalf of those healthcare provider clients.

The types of information potentially exposed include both personally identifiable information (PII) and protected health information (PHI). Specifically, the exposed data may include names, dates of birth, addresses, Social Security numbers, diagnosis information, medical history, medical treatment information, mental or physical condition information, health insurance policy numbers or subscriber identification numbers, health plan beneficiary numbers and other health insurance information.

MCBS' response to the breach

MCBS is offering affected individuals complimentary access to identity protection services through a third-party provider as a precaution. Enrollment instructions and details about the duration of coverage are included in the notification letters sent to affected individuals. The notification letters also contain guidance on additional protective measures, such as placing fraud alerts and security freezes on credit files and obtaining free credit reports.

MCBS has also established a dedicated, confidential toll-free response line staffed with professionals who are familiar with this incident and knowledgeable about steps individuals can take to protect against potential misuse of their information.

The response line is available to help affected individuals understand what happened and get answers to their questions. The phone number and hours of operation are provided in the individual notification letters that MCBS has mailed to affected consumers.