A Minnesota family medical practice this week began notifying nearly 200,000 individuals that their information had been compromised in a 2020 ransomware attack on cloud hosting and managed services provider Netgain Technology, an incident that also affected several of the vendor’s other clients and hundreds of thousands of their patients.
In a breach report filed Thursday with the Maine attorney general, St. Paul, Minnesota-based Entira Family Clinics says the Netgain incident affected 199,628 individuals, including nine Maine residents.
Entira says patients’ protected health information potentially accessed by “an unknown party” in the incident includes name, address, Social Security number and medical history.
“At this time, Entira does not have any evidence to indicate that any personal information has been or will be misused as a result of this incident,” a notification statement posted on Entira’s website says.
Several class action lawsuits have been filed against Netgain in the wake of the 2020 ransomware incident. At least one of those lawsuits, filed in May 2021 in a Minnesota federal court, alleges data was exfiltrated in the September 2020 Netgain ransomware incident.
That lawsuit also alleges Netgain’s notification to some of its healthcare clients was “unreasonably delayed.”
St. Cloud, Minnesota-based Netgain declined Information Security Media Group’s request for comment on the 2020 incident, including the breach reported this week by Entira, which is tied to the incident.
The Jan. 13 breach report filed by Entira to the Maine attorney general notes that the breach occurred and was discovered on Dec. 7, 2020.
But a sample breach notification letter and statement posted on Entira’s website omits the dates of the Netgain breach, saying only that Entira “recently discovered that a data security incident on Netgain’s environment may have resulted in the unintentional exposure of your personal information.”
Some experts say Entira’s breach notice submitted to the Maine attorney general raises questions about the timeliness and content of its breach notification.
“The HIPAA Breach Notification Rule requires that notice to HHS and consumers be made within 60 days of when there is a ‘greater than low risk of comprise to unsecured PHI.’ The content of the notification sent to individuals must include a brief description of what happened, including the date of the breach and the date of discovery,” says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
“Entira’s response to the breach of PHI is an example of the type of incident that deserves further review for compliance with the breach notification rule by the Office for Civil Rights or state attorney general.”
The HHS OCR HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows that on March 2, 2021, Entira reported a hacking/IT incident involving a network server that affected 1,975 individuals.
An attorney representing Entira did not immediately respond to Information Security Media Group’s request for additional information and clarification about the Netgain incident and about the breach reported by Entira to HHS in March 2021.
In the wake of the incident, Entira says it is taking steps to improve its security and mitigate risk. That includes reviewing and altering its policies and procedures relating to the security of its systems and servers, as well as its information life cycle management.
Entira is also offering affected individuals complementary credit and identity monitoring services.
Memorial Health System Breach
Among the other healthcare entities reporting a major health data breach this week as a result of an apparent ransomware incident was Marietta, Ohio-based Memorial Health System.
In a breach report filed Wednesday to Maine’s attorney general, Memorial Health System says nearly 216,500 individuals, including 26 Maine residents, were affected by the August “malware incident.”
The incident prompted the organization to divert emergency care patients from three of its hospitals to other area facilities and cancel or reschedule patient appointments for several days.
In a breach notification statement posted on its website, MHS says that on Aug. 14, 2021, it identified the presence of malware on certain servers in its environment. Through its investigation into the incident, MHS determined that “in connection with the malware event, an unauthorized actor accessed certain systems within the organization’s network on or about July 10 through August 15, 2021.”
MHS on Sept. 17 determined that the unauthorized actor may have accessed or acquired information from systems potentially containing patient information, the notification letter says.
Patient information affected by the incident includes name, address, Social Security number, medical/treatment information and health insurance information, MHS says. The healthcare entity is offering affected individuals one year of complimentary credit and identity monitoring.
MHS says it has added further technical safeguards to its environment to improve the security of its systems.