A Minnesota network of family medicine practices started notifying almost 200,000 patients that some of their personal and protected health information was potentially compromised in a cyberattack on a business associate more than a year ago.
Entira Family Clinics explained in the notification letters, which were sent to affected individuals on January 13, 2022, that the breach occurred at Netgain Technologies, which provides hosting and cloud IT solutions to companies in the healthcare and accounting sectors. Entira Family Clinics used Netgain’s services for hosting and email.
The healthcare provider said the information potentially compromised included names, addresses, Social Security numbers, and medical histories. In the notification letters, Entira said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”
The investigation uncovered no evidence of actual or attempted misuse of any personal information. Entira Family Clinics said it is working to improve security and mitigate risk, and that process has involved a review and update of policies and procedures related to the security of its systems, servers, and life cycle management. A security audit was also conducted of the Netgain environment to ensure stricter security of the cloud hosting site.
Affected individuals have been offered a complimentary membership to online credit monitoring services through IDX. The breach report submitted to the Maine Attorney General indicates 199,628 individuals were affected.
The notification letters sent to affected individuals state, “We recently discovered that a data security incident on Netgain’s environment may have resulted in the unintentional exposure of your personal information,” and that “Netgain was recently the target of a cybersecurity incident.”
There was no mention of the date of the breach in the notification letters, so affected individuals would not be aware that the ransomware attack and data theft incident had occurred more than 12 months previously on November 4, 2020.
Netgain announced the data breach in December 2020, and most affected companies were notified by February 2021. Most of the affected Netgain clients sent notification letters in the spring and summer of 2021. It is unclear why there was such a long delay in Entira Family Clinics issuing notification letters, and whether this was due to late notification from Netgain.
Also this month, Caring Communities, an Illinois-based member-owned liability insurance company serving not-for-profit senior housing and care organizations, also sent notification letters about the Netgain data breach. The notification letters were sent on January 14, 2022, and closely mirror those sent by Entira.
Caring Communities also said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”
Caring Communities said it replaced Netgain as its hosting provider and migrated its environment to another service provider after being notified about the data breach and the same steps are being taken to improve security. Affected individuals have similarly been offered credit monitoring and identity theft protection services through IDX. It is currently unclear how many individuals have been affected. The notification letters also refer to the recent cyberattack on Netgain and do not mention when the attack occurred nor why there was such a long delay in issuing notification letters.
The post Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack appeared first on HIPAA Journal.