A Minnesota network of family medicine practices began sending notifications to approximately 200,000 patients concerning the potential compromise of some of their personal data and protected health information (PHI) due to a cyberattack on a business associate about a year ago.
It was stated in the breach notification letters sent by Entira Family Clinics to the affected people on January 13, 2022 that the breach happened at Netgain Technologies, which is the hosting and cloud IT solutions provider to organizations in the healthcare and accounting industries. Entira Family Clinics employed Netgain’s hosting and email services.
The healthcare organization mentioned the files likely compromised included names, Social Security numbers, addresses, and medical backgrounds. Entira said in its notification letters that they had their information technology (IT) support group working immediately upon being aware of the breach and engaged a law agency with a specialty in cybersecurity and data privacy to investigate. They also communicated closely with Netgain and its breach counsel concerning Netgain’s incident response and forensic investigation.
The investigation found no information of actual or attempted misuse of any personal records. Entira Family Clinics mentioned it is taking steps to enhance security and offset risk, and that process required an assessment and update of policies and procedures associated with the safety of its systems, servers, and life cycle administration. Security analysis was likewise done of the Netgain environment to make sure of the stronger security of the cloud hosting platform.
Entira Family Clinics offered the impacted individuals a complimentary membership to online credit monitoring services via IDX. The breach report submitted to the Maine Attorney General shows 199,628 persons were affected.
The notification letters distributed to the impacted people state that the provider found out that a data security incident on Netgain’s environment may have caused the accidental exposure of their personal data and that Netgain was recently targeted by a cybersecurity incident.
The date of the incident was not mentioned in the notification letters, therefore affected persons wouldn’t realize that the ransomware attack and data theft had happened over 12 months already on November 4, 2020.
Netgain stated the data breach in December 2020, and the majority of impacted firms were informed by February 2021. Many of the affected Netgain clients dispatched notification letters during the spring and summer months of 2021. It is uncertain why Entira Family Clinics delayed issuing notification letters for so long, and whether this was because of delayed notification from Netgain.
Additionally, this month, Caring Communities, a member-owned liability insurance provider in Illinois serving not-for-profit senior housing and care organizations, likewise sent notification letters regarding the Netgain data breach. The firm mailed notification letters on January 14, 2022, which stated the same things as those provided by Entira.
Caring Communities stated it is no longer using Netgain as its hosting provider and transferred its environment to a different service provider after being advised regarding the data breach and similar steps are being done to strengthen security. Affected persons have likewise been provided credit monitoring and identity theft protection services by means of IDX. It is currently not clear how many people were impacted. The notification letters additionally refer to the latest cyberattack on Netgain and did not talk about when the attack took place nor why the issuing of notification letters was long-delayed.