Entira Family Clinics, a family medicine practice based in Minnesota, sent data breach notification letters to impacted individuals via the Maine Attorney General’s Office on January 13, 2022. The Maine Attorney General’s Office said that the breach impacted nearly 200,000 individuals associated with the family medicine practice.
In the letter, Entira wrote that it had “recently discovered” a data breach that occurred within Netgain Technology, a cloud hosting provider.
However, Netgain discovered the breach in late 2020 and subsequently notified impacted organizations. It is important to note that Entira’s letter does not mention when the breach occurred or when it was notified of the incident.
“Netgain is a third-party entity that offers hosting and cloud IT solutions primarily for the healthcare and accounting industry. Entira, along with thousands of other healthcare entities, retained Netgain for online hosting of its environment, including cloud services and e-mail. Netgain was recently the target of a cybersecurity incident,” the letter stated.
“Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”
The Netgain breach affected hundreds of thousands of individuals in total and impacted Allina Health’s Apple Valley Clinic, San Ysidro Health, SAC Health Systems, San Diego Family Care, and Elara Caring, among others.
“Based on the results of this investigation, we have determined that information, including your name, address, social security number and medical history, were accessed by an unknown party that is not authorized to handle or view such information,” the letter continued.
“At this time, Entira does not have any evidence to indicate that any of your personal information has been or will be misused as a result of this incident. Nevertheless, Entira decided to notify you of this incident out of an abundance of caution.”
Entira said it is working to improve its security practices and alter its policies relating to information life ccycle management. The family practice also performed a security audit of the Netgain environment. In addition, impacted individuals are eligible for complimentary credit monitoring through IDX.
Netgain is facing multiple class-action lawsuits regarding the data breach. Although Entira’s notification said it had no evidence of data misuse, a lawsuit filed against Netgain in May 2021 alleged that data exfiltration was involved.
Under the HIPAA Breach Notification Rule, organizations that suffered a healthcare data breach are required to report the breach to HHS and impacted individuals within 60 days of the incident.
This post, Family Medicine Practice Notifies Patients of Data Breach 1 Year Later, was shared by Health IT Security on January 18, 2022.