Minnesota family clinic waits one year to notify patients of data breach

por John R. Fischer, Senior Reporter | January 26, 2022
Cyber Security Health IT
Entira Family Clinics did not notify patients for one year of a data breach that took place in December 2020
Entira Family Clinics notified approximately 200,000 patients this month that their data may have been compromised in a data security incident over a year ago.

The breach took place via Netgain Technology, the third-party cloud IT service provider for the family clinic in Minnesota, and was perpetrated by an unknown party. Netgain discovered the ransomware attack in early December 2020 and immediately notified affected organizations, including Entira, according to Health IT Security.

In accordance with the HIPAA Breach Notification Rule, organizations that experience a healthcare data breach must report the incident to HHS and impacted individuals within 60 days of the incident. The clinic did not explain why it waited until now to disclose the breach but said it may have compromised protected information such as names, addresses, social security numbers and medical history of 199,628 patients. In addition to its patients in Minnesota, Entira serves residents of Maine. As a result, it is required to report any data breach affecting these state residents to the Maine Attorney General.
DOTmed text ad

Reveal Mobi Pro now available for sale in the US

Reveal Mobi Pro integrates the Reveal 35C detector with SpectralDR technology into a modern mobile X-ray solution. Mobi Pro allows for simultaneous acquisition of conventional & dual-energy images with a single exposure. Contact us for a demo at no cost.

The breach is alleged to have occurred between September and December 2020 and targeted Netgain’s domain controllers, which manage networks of thousands of servers, according to a lawsuit filed against Netgain in May 2021. According to the lawsuit, on these servers was PII/PHI provided by clients to Netgain, which provides hosting and cloud IT solutions for healthcare entities like Entira, including cloud services and email.

The suit alleges that the attack included exfiltration of data. The company is facing multiple other class-action suits against it over the incident.

No evidence showed that patient information was misused, according to Entira. “Nevertheless, Entira decided to notify potentially impacted individuals of this incident out of an abundance of caution,” said the company in a letter to patients.

Entira Family Clinics is working to improve security and reviewing and changing policies and practices around the security of its systems and servers, as well as its information life cycle management. It has also performed a security audit of Netgain to add stricter security to Netgain’s cloud hosting site and hired a law firm that specializes in cybersecurity to investigate the matter further. The clinic is offering complimentary online credit monitoring services through IDX to those affected by the breach.

You Must Be Logged In To Post A Comment