Entira Family Clinics did not notify patients for one year of a data breach that took place in December 2020
Minnesota family clinic waits one year to notify patients of data breach
January 26, 2022
by John R. Fischer, Senior Reporter
Entira Family Clinics notified approximately 200,000 patients this month that their data may have been compromised in a data security incident over a year ago.
The breach took place via Netgain Technology, the third-party cloud IT service provider for the family clinic in Minnesota, and was perpetrated by an unknown party. Netgain discovered the ransomware attack in early December 2020 and immediately notified affected organizations, including Entira, according to Health IT Security.
In accordance with the HIPAA Breach Notification Rule, organizations that experience a healthcare data breach must report the incident to HHS and impacted individuals within 60 days of the incident. The clinic did not explain why it waited until now to disclose the breach but said it may have compromised protected information such as names, addresses, social security numbers and medical history of 199,628 patients. In addition to its patients in Minnesota, Entira serves residents of Maine. As a result, it is required to report any data breach affecting these state residents to the Maine Attorney General.
The breach is alleged to have occurred between September and December 2020 and targeted Netgain’s domain controllers, which manage networks of thousands of servers, according to a lawsuit filed against Netgain in May 2021. According to the lawsuit, on these servers was PII/PHI provided by clients to Netgain, which provides hosting and cloud IT solutions for healthcare entities like Entira, including cloud services and email.
The suit alleges that the attack included exfiltration of data. The company is facing multiple other class-action suits against it over the incident.
No evidence showed that patient information was misused, according to Entira. “Nevertheless, Entira decided to notify potentially impacted individuals of this incident out of an abundance of caution,” said the company in a letter to patients.
Entira Family Clinics is working to improve security and reviewing and changing policies and practices around the security of its systems and servers, as well as its information life cycle management. It has also performed a security audit of Netgain to add stricter security to Netgain’s cloud hosting site and hired a law firm that specializes in cybersecurity to investigate the matter further. The clinic is offering complimentary online credit monitoring services through IDX to those affected by the breach.
A Texas healthcare provider, Gastroenterology Consultants, was in a similar situation last September when it received backlash for waiting seven months to notify over 161,000 patients of a ransomware attack it experienced in January 2021. Many were additionally shocked that the company paid the hackers the ransom and trusted them to delete the data in exchange.
While the organization’s patient medical record system was not affected, Gastroenterology did confirm that social security numbers for a small number of patients were compromised, and that the attack primarily affected names, addresses and personal health information.
In addition to Entira and its patients, the breach at Netgain has affected hundreds of thousands of individuals in total and impacted Allina Health’s Apple Valley Clinic, San Ysidro Health, SAC Health Systems, San Diego Family Care, and Elara Caring, among others, reported Health IT Security.
Entira did not respond to calls for comment.
The breach took place via Netgain Technology, the third-party cloud IT service provider for the family clinic in Minnesota, and was perpetrated by an unknown party. Netgain discovered the ransomware attack in early December 2020 and immediately notified affected organizations, including Entira, according to Health IT Security.
In accordance with the HIPAA Breach Notification Rule, organizations that experience a healthcare data breach must report the incident to HHS and impacted individuals within 60 days of the incident. The clinic did not explain why it waited until now to disclose the breach but said it may have compromised protected information such as names, addresses, social security numbers and medical history of 199,628 patients. In addition to its patients in Minnesota, Entira serves residents of Maine. As a result, it is required to report any data breach affecting these state residents to the Maine Attorney General.
The breach is alleged to have occurred between September and December 2020 and targeted Netgain’s domain controllers, which manage networks of thousands of servers, according to a lawsuit filed against Netgain in May 2021. According to the lawsuit, on these servers was PII/PHI provided by clients to Netgain, which provides hosting and cloud IT solutions for healthcare entities like Entira, including cloud services and email.
The suit alleges that the attack included exfiltration of data. The company is facing multiple other class-action suits against it over the incident.
No evidence showed that patient information was misused, according to Entira. “Nevertheless, Entira decided to notify potentially impacted individuals of this incident out of an abundance of caution,” said the company in a letter to patients.
Entira Family Clinics is working to improve security and reviewing and changing policies and practices around the security of its systems and servers, as well as its information life cycle management. It has also performed a security audit of Netgain to add stricter security to Netgain’s cloud hosting site and hired a law firm that specializes in cybersecurity to investigate the matter further. The clinic is offering complimentary online credit monitoring services through IDX to those affected by the breach.
A Texas healthcare provider, Gastroenterology Consultants, was in a similar situation last September when it received backlash for waiting seven months to notify over 161,000 patients of a ransomware attack it experienced in January 2021. Many were additionally shocked that the company paid the hackers the ransom and trusted them to delete the data in exchange.
While the organization’s patient medical record system was not affected, Gastroenterology did confirm that social security numbers for a small number of patients were compromised, and that the attack primarily affected names, addresses and personal health information.
In addition to Entira and its patients, the breach at Netgain has affected hundreds of thousands of individuals in total and impacted Allina Health’s Apple Valley Clinic, San Ysidro Health, SAC Health Systems, San Diego Family Care, and Elara Caring, among others, reported Health IT Security.
Entira did not respond to calls for comment.