HIPAA Breach News

February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements

Posted by HIPAA Journal

The Government Accountability Office (GAO) has launched a rapid response survey of healthcare organizations and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) seeking feedback on their experiences reporting data breaches to the Secretary of the Department of Health and Human Services (HHS). The questionnaire was initially due to remain open until 4 p.m. EST on Friday, February 4, 2022., but the deadline has now been extended by a week to February 11, 2022. The survey is being conducted through Survey Monkey and can be accessed here.

Congress requested the GAO review the number of data breaches reported to the HHS since 2015, and the survey seeks to identify some of the challenges, if any, faced by covered entities and business associates in meeting the data breach reporting requirements of the HHS. The GAO will also determine what efforts the HHS has made to address any breach reporting issues and improve the data breach reporting process.

The survey is being distributed by the Health-ISAC, Health Sector Coordinating Council (HSCC) and the American Hospital Association (AHA) on behalf of the GAO, and responses will be provided in aggregate to GAO.

GAO has requested only one survey be completed by each covered entity and business associate. GAO said it will not attribute specific comments to specific individuals and/or organizations when it produces the report, and the only individually identifiable information passed to GAO will be the email address provided in the survey along with any individually identifiable information provided voluntarily in any of the open-ended questions.

“This is an important opportunity to inform the work of the GAO and help identify the benefits of, along with the many issues of concern expressed over the years by hospitals and health system victims of cyberattacks, regarding the ensuing HHS Office for Civil Rights audit and investigation process,” said John Riggi, AHA national advisor for cybersecurity and risk.

The post February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements appeared first on HIPAA Journal.

Cyberattacks and Data Theft Incidents Reported by Medical Healthcare Solutions and Advocates Inc.

Posted by HIPAA Journal

Advocates Inc., a Massachusetts-based nonprofit provider of support services for individuals experiencing life challenges such as addiction, autism, brain injury, intellectual disabilities, mental health, and behavioral health, has announced it recently experienced a sophisticated cyberattack and data theft incident.

Advocates was informed on October 1, 2021, that an unauthorized individual had gained access to its network and copied files containing the sensitive data of patients and employees. A leading cybersecurity firm was engaged to assist with the investigation, which revealed an unknown individual had accessed its network and copied files over a four-day period between September 14, 2021, and September 18, 2021.

The files contained names, addresses, dates of birth, Social Security numbers, health insurance information, client ID numbers, diagnoses, and treatment information. After confirming the individuals affected, Advocate collected up-to-date contact information to allow written notices to be provided, hence the delay in issuing notification letters.

The cyberattack was reported to the Federal Bureau of Investigation and regulators. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of 68,236 individuals was included in the stolen files. Advocates said it is unaware of any attempted or actual misuse of the stolen information; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

PHI Stolen in Cyberattack on Medical Healthcare Solutions

The Boston, MA-based medical billing company Medical Healthcare Solutions, has recently announced it was the victim of a cyberattack. The attack was discovered on November 19, 2021, and steps were immediately taken to secure its network to prevent further unauthorized access. The investigation confirmed an unauthorized individual had accessed its network between October 1, 2021, and October 4, 2021, and copied certain files from its network.

A review of the stolen files revealed they contained the following types of data: Name, address, date of birth, sex, phone number, email address, Social Security number, driver’s license/state ID number, financial account number, routing number, payment card number, card CVV/expiration, diagnosis/treatment information, procedure type, provider name, prescription information, date of service, medical record number, patient account number, insurance ID number, insurance group number, claim number, insurance plan name, provider ID number, procedure code, treatment cost, and diagnosis code.

A final list of individuals affected by the breach was obtained on January 8, and notification letters have now been issued. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. The incident has been reported to the HHS’ Office for Civil Rights, but it has not yet appeared on the breach portal, so it is currently unclear how many individuals have been affected.

The post Cyberattacks and Data Theft Incidents Reported by Medical Healthcare Solutions and Advocates Inc. appeared first on HIPAA Journal.

Data Breaches Reported by Houston Area Community Services, County of Kings, and NYU Langone Health

Posted by HIPAA Journal

Data breaches have recently been reported by Houston Area Community Services, County of Kings in California, and NYU Langone Health.

Avenue 360 Health and Wellness Reports Breach of Employee Email Accounts

Houston Area Community Services, Inc., doing business as Avenue 360 Health and Wellness, has discovered an unauthorized individual has gained access to the email accounts of certain employees and may have viewed or obtained the protected health information of 12,186 individuals.

Avenue 360 Health and Wellness said its investigation determined the email accounts were compromised between January 15, 2021, and April 2, 2021. A third-party vendor that specializes in the analysis of security incidents such as this was engaged to assist with the investigation.

A comprehensive review was conducted of all emails and attachments in the account. On November 9, 2021, Avenue 360 discovered the account contained names, medical record numbers, health insurance information, birthdates, diagnoses, clinical and treatment information, and prescription information. A limited number of individuals also had their Social Security numbers and/or financial information exposed.

Avenue 360 has not received any reports of actual or attempted misuse of patient data as a result of the email security breach. Notification letters started to be sent to affected individuals on January 5, 2022, and complimentary credit monitoring services have been offered to individuals whose Social Security number was exposed. Email security has since been improved with anti-spam technology and multi-factor authentication.

Web Server Misconfiguration Exposed COVI-19 Data of 16,590 Individuals

County of Kings, a political subdivision of the State of California, has discovered a public web server has been misconfigured which resulted in the exposure of information about COVID-19 cases.

The data had been provided to County’s Public Health Department by the California Department of Public Health and County healthcare providers and included names, dates of birth, addresses, and COVID-19 related information. The misconfiguration was detected on November 24, 2021, and the issue was fully corrected on December 6, 2021. The investigation revealed the misconfiguration occurred on February 15, 2021.

County of Kings officials said they could not rule out unauthorized accessing of the data over those 10 months, although there are no indications that any of the exposed information has been or will be misused.

Notification letters started to be sent to the 16,590 individuals whose sensitive information had been exposed on January 21, 2022. The County believes that the limited nature of the exposed data means individuals are not at risk and do not need to take any further actions. The County said it is taking steps to ensure COVID-19 information is better protected in the future.

NYU Langone Health Notifies 1,123 Patient About Mismailing Incident

NYU Langone Health has started notifying 1,123 patients about a vendor mailing error. On or around November 12, 2021, NYU Langone notified patients about a planned relocation of one of its oncology surgeons, who was based in Lake Success, NY.

A third-party vendor was used to send the notification letters and reformatted the addresses which resulted in a misalignment of patient names and addresses on the envelopes. As a result, the letters were sent to incorrect addresses. The letters were addressed as “Dear Patient,” and did not include any protected health information.

NYU Langone has received assurances from its vendor that policies, procedures, and practices have been reviewed and updated to prevent similar misdirected mailings in the future.

The post Data Breaches Reported by Houston Area Community Services, County of Kings, and NYU Langone Health appeared first on HIPAA Journal.

Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack

Posted by HIPAA Journal

Marietta Area Health Care Inc., doing business as Memorial Health System, is facing a class action lawsuit over a cyberattack and data breach that was detected by Memorial Health System on August 14, 2021.

The investigation into the attack confirmed the attackers first gained access to company servers on or around July 10, 2021, and installed malware on its systems. Unauthorized access remained possible until August 15, 2021.

The breach notification letters state Memorial Health System learned on September 17, 2021, that the threat actor potentially accessed or acquired information from its systems. The review of the affected systems was completed on November 1, 2021, and affected individuals were notified on January 12, 2022, and were offered a 12-month complimentary membership to a credit monitoring service. The breach notice submitted to the Maine attorney general indicates the personal information of 216,478 was potentially accessed by the attackers.

The lawsuit was filed in the U./S. District Court of the Southern District of Ohio, Eastern Division against Marietta Area Health Care Inc. dba Memorial Health System on behalf of plaintiff Kathleen Tucker and other individuals affected by the breach.

The lawsuit alleges the plaintiff’s and class members’ personal information, which included names, dates of birth, medical record numbers, patient account numbers, Social Security Numbers, and medical information, was compromised and unlawfully accessed, and that the plaintiff and class members, “suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”

The lawsuit alleges Memorial Health System was negligent for maintaining the private information of patients in a reckless manner by storing the information on systems that were vulnerable to cyberattacks. The lawsuit alleges the risk of cyberattacks was known to the defendant yet the necessary steps to secure private information were not taken. In addition to the negligence claim, the lawsuit alleges negligence per se, breach of implied contract, and unjust enrichment.

The plaintiff and class members are alleged to now be exposed to a heightened and imminent risk of fraud and identity theft and must now and in the future closely monitor their financial accounts to guard against identity theft. Out-of-pocket expenses have also been incurred, including the cost and time of arranging credit monitoring services, credit freezes, and credit reports.

The lawsuit seeks a jury trial and compensatory damages, treble damages, punitive damages, reimbursement of out-of-pocket costs, and injunctive relief, which should include improvements to Memorial Health System’s data security systems, future annual audits, and providing adequate credit monitoring services to individuals affected by the breach.

The lawsuit was filed by attorney Joseph M. Lyon of The Lyon Firm, LLC. The law firm of Console & Associates, P.C. has also initiated an investigation into the cyberattack and data breach.

The post Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack appeared first on HIPAA Journal.

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015 involving the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers.

The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the initial intrusion to detect the security breach.

The HHS’ Office for Civil Rights (OCR) launched an investigation into the data breach and uncovered several potential violations of the HIPAA Rules, including security failures and the impermissible disclosure of the PHI of 9.3 individuals. The case was settled in January 2021 and Excellus agreed to pay a financial penalty of $5.1 million to resolve the HIPAA violations and to implement a corrective action plan to address the security failures and the alleged HIPAA non-compliance issues.

The lawsuit was brought against Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and the Blue Cross Blue Shield Association, on behalf of all individuals affected by the data breach. Initially, the lawsuit sought monetary damages and injunctive relief; however, for several legal reasons, the court was unable to certify classes seeking monetary damages, and only certified a class for injunctive relief.

The plaintiffs alleged the defendants had failed to implement appropriate security measures to ensure the confidentiality of PII and PHI, failed to detect the security breach for 17 months, and when the breach was detected, waited too long to notify affected individuals and then failed to provide sufficient information about how victims could protect themselves from harm. The lawsuit required the Excellus defendants and BCBSA to change their information security practices with respect to PII and PHI and to invest in information security. The Excellus defendants and BCBSA denied any wrongdoing and, to date, no court has determined the defendants have done anything wrong.

The Excellus defendants and BCBSA have agreed to cover reasonable attorneys’ fees, costs, and expenses as approved by the courts. The costs include a maximum of $3.3 million to cover attorneys’ fees and the reimbursement of expenses of no more than $1,000,000. Service awards of up to $7,500 will also be provided to class representatives.

Changes will be made to business practices regarding the safeguarding of PII and PHI which will cover the three years from the finalization of the settlement or the two years after each of the changes has been implemented. The information security requirements detailed in the settlement require the Excellus defendants and BCBSA to:

  • Increase and maintain a minimum information security budget
  • Develop a strategy and engage vendors to ensure records containing PII or PHI are disposed of within one year of the original retention period
  • Take steps to improve the security of its network, including the use of tools for detecting suspicious activity, authenticating users, responding to and containing security incidents, and document retention
  • Engage in an extensive data archiving program and provide plaintiffs with documentation confirming the extent, scope, and thoroughness of the archiving project
  • Provide the plaintiffs with copies of documents provided to OCR that demonstrate compliance with the OCR settlement and corrective action plan
  • Make an annual declaration attesting to compliance with each aspect of the items in the settlement, including the extent to which it has not been possible to comply with any of the items

If the settlement is agreed by the court – a hearing has been scheduled for April 13, 2022 – all plaintiffs and class members will be required to release all claims against the Excellus defendants and BCBSA for injunctive and declaratory relief. The settlement will not release any claims against the Excellus defendants and BCBSA for monetary damages.

The post Settlement Reached in Excellus Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

Posted by HIPAA Journal

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents.

The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment information.

Between June 24, 2020, and July 1, 2020, the attackers accessed the account from multiple IP addresses, including some from outside the United States and on July 1, 2020, the account was used to send around 2,000 phishing emails to EyeMed clients. The EyeMed IT department detected the phishing emails and received multiple inquiries from clients querying the legitimacy of the emails. The compromised account was then immediately secured.

The subsequent forensic investigation confirmed the attacker could have exfiltrated data from the email account while access was possible but could not determine if any personal information was stolen. Affected individuals were notified in September 2020 and were offered complimentary credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General investigated the security incident and data breach and determined that, at the time of the attack, EyeMed had failed to implement appropriate security measures to prevent unauthorized individuals from accessing the personal information of New York residents.

The email account was accessible via a web browser and contained large quantities of consumers’ sensitive information spanning several years, yet EyeMed had failed to implement multifactor authentication on the account. EyeMed also failed to implement adequate password management requirements for the email account. The password requirements for the account were not sufficiently complex, only requiring a password of 8 characters, when it was aware of the importance of password complexity as the password requirements for admin-level accounts required passwords of at least 12 characters. EyeMed also allowed 6 failed password attempts before locking out the user ID. EyeMed had also failed to maintain adequate logging of email accounts and was not monitoring email accounts, which made it difficult to identify and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to impose financial penalties for HIPAA violations and it would have been possible to cite violations of HIPAA; however, New York only cited violations of New York General Business Law.

Under the terms of the settlement, EyeMed is required to pay a financial penalty of $600,000 and must implement several measures to improve security and prevent further data breaches. Those measures include:

  • Maintaining a comprehensive information security program that is regularly updated to keep pace with changes in technology and security threats
  • Maintaining reasonable account management and authentication, including the use of multi-factor authentication for all administrative or remote access accounts
  • Encrypting sensitive consumer information
  • Conducting a reasonable penetration testing program to identify, assess, and remediate security vulnerabilities
  • Implementing and maintaining appropriate logging and monitoring of network activity
  • Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James. “Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

The post New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach appeared first on HIPAA Journal.

Email Breaches Reported by University of Arkansas for Medical Sciences and Sacramento County

Posted by HIPAA Journal

Email-related breaches of protected health information (PHI) have recently been reported by the University of Arkansas for Medical Sciences and Sacramento County

University of Arkansas for Medical Sciences (UAMS) Employee HIPAA Violation

The University of Arkansas for Medical Sciences (UAMS) has started sending notification letters to hundreds of patients to alert them to a HIPAA violation involving some of their PHI.

On November 29, 2021, UAMS discovered an employee had sent emails from her UAMS email account to a personal Gmail account that contained attachments that included patients’ PHI. UAMS said the emails were sent on November 15, 2021, while the individual was still employed by UAMS. The emails included billing statements that had been sent to UAMS for reimbursement and Excel spreadsheets used by UAMS for internal billing compliance and auditing purposes.

No clinical documents, medical records, financial information, or Social Security numbers were included in the attachments, but they did contain PHI such as names, hospital account numbers, medical record numbers, dates of service, insurance type, and claim information for billing purposes. The attachments also contained the dates of birth and medication information of a small number of individuals. In total, 518 individuals were affected.

UAMS said the employee concerned was interviewed about the HIPAA breach and maintained the emails had been sent to her personal email account in error and voluntarily left UAMS.

Sacramento County Phishing Attack Exposed the Health Data of Thousands of Employees

Sacramento County has confirmed it was the victim of a phishing attack in June 2021 in which unauthorized individuals gained access to employee email accounts that contained the personal and protected health information of employees.

According to the notice, Sacramento County employees were targeted in a phishing attack on June 22, 2021, and five employees responded to the emails and disclosed their email account credentials. It is unclear when the security breach was detected, but officials said an audit of email mailboxes determined on November 17, 2021, that the compromised mailboxes contained 2,096 records that included the protected health information of employees, and a further 816 records that contained personal information.

Notification letters were sent to those individuals on January 21, 2022, and free credit monitoring, credit resolution, and identity restoration services have been offered for 12 months. The email security incident prompted Sacramento County to strengthen the password requirements for employee email accounts and implement 2-factor authentication. The security management plan has also been updated and further security awareness training has been provided to the workforce.

The post Email Breaches Reported by University of Arkansas for Medical Sciences and Sacramento County appeared first on HIPAA Journal.

Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack

Posted by HIPAA Journal

Ohio-based Memorial Health System has recently confirmed the ransomware attack it experienced in August 2021 potentially involved the protected health information of 216,478 patients. The ransomware attack forced the health system to divert certain patients to other facilities and cancel some appointments to ensure patient safety. The attack was announced shortly after the breach, which occurred on August 14, 2021. The investigation revealed its network was first breached on July 10, 2021.

The incident was reported to the HHS’ Office for Civil Rights promptly, although at the time it was not known how many individuals had been affected. Memorial Health System discovered patient data may have been involved on or around September 17, 2021, then followed a comprehensive review of all affected files. On November 1, 2021, the scope of the incident was determined but it took until December 9, 2021, to confirm the individuals affected and the specific types of data involved, hence the delay in issuing notifications. Written notices were sent to affected individuals on or around January 12, 2022.

The information exposed and potentially exfiltrated included names, addresses, Social Security numbers, medical/treatment information, and health insurance information. Affected individuals have been offered a complimentary 12-month membership to Kroll’s credit monitoring service. Memorial Health System has since implemented additional safeguards to improve its security posture.

MedQuest Pharmacy Data Breach Affects 39,447 Individuals

In mid-December, MedQuest Pharmacy started notifying 39,447 patients that some of their protected health information had potentially been compromised in a cyberattack that was detected on November 18, 2021. Assisted by its parent companies – UpHealth Inc and Innovations Group – and independent cybersecurity experts, MedQuest determined the attackers first gained access to its systems on October 27, 2021, and that unauthorized access to its environment was blocked on October 30, 2021.

A comprehensive review of all affected systems revealed the following types of information had potentially been accessed and/or acquired in the attack: Names, birth dates, addresses, email addresses, telephone numbers, genders, medical record numbers, health information, prescription information, referring doctor names, date(s) of treatment, health insurance policy numbers (including Medicare or Medicaid number), and internal MedQuest patient identification number.

MedQuest said a very small number of individuals also had their Social Security Number, driver’s license number, financial account/payment card information, health insurance claim number, policy information, and/or claim/appeal information exposed. All affected individuals have been offered a complimentary 12-month membership to Equifax’s credit and identity monitoring services.

Oscar Health Plan of California Notifies Members About 3rd Party Mismailing Incident

Oscar Health Plan of California has started notifying 7,632 individuals about an error at a printing vendor that resulted in their statements being sent to another health plan member.

According to a recent press release, the error affected mailings between October 28, 2021, and November 16, 2021. The statements included a limited amount of plan member information including name, claim number, health plan ID number, provider information, date(s) of service, procedure/service name, and plan name/affiliation only. In each case, the statement was sent to only one other plan member.

Oscar Health Plan has worked with its printing vendor to implement additional safeguards to prevent further mailing errors and has received no reports of any misuse of plan members’ information.

The post Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack appeared first on HIPAA Journal.

Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack

Posted by HIPAA Journal

A Minnesota network of family medicine practices started notifying almost 200,000 patients that some of their personal and protected health information was potentially compromised in a cyberattack on a business associate more than a year ago.

Entira Family Clinics explained in the notification letters, which were sent to affected individuals on January 13, 2022, that the breach occurred at Netgain Technologies, which provides hosting and cloud IT solutions to companies in the healthcare and accounting sectors. Entira Family Clinics used Netgain’s services for hosting and email.

The healthcare provider said the information potentially compromised included names, addresses, Social Security numbers, and medical histories. In the notification letters, Entira said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”

The investigation uncovered no evidence of actual or attempted misuse of any personal information. Entira Family Clinics said it is working to improve security and mitigate risk, and that process has involved a review and update of policies and procedures related to the security of its systems, servers, and life cycle management. A security audit was also conducted of the Netgain environment to ensure stricter security of the cloud hosting site.

Affected individuals have been offered a complimentary membership to online credit monitoring services through IDX. The breach report submitted to the Maine Attorney General indicates 199,628 individuals were affected.

The notification letters sent to affected individuals state, “We recently discovered that a data security incident on Netgain’s environment may have resulted in the unintentional exposure of your personal information,” and that “Netgain was recently the target of a cybersecurity incident.”

There was no mention of the date of the breach in the notification letters, so affected individuals would not be aware that the ransomware attack and data theft incident had occurred more than 12 months previously on November 4, 2020.

Netgain announced the data breach in December 2020, and most affected companies were notified by February 2021. Most of the affected Netgain clients sent notification letters in the spring and summer of 2021. It is unclear why there was such a long delay in Entira Family Clinics issuing notification letters, and whether this was due to late notification from Netgain.

Also this month, Caring Communities, an Illinois-based member-owned liability insurance company serving not-for-profit senior housing and care organizations, also sent notification letters about the Netgain data breach. The notification letters were sent on January 14, 2022, and closely mirror those sent by Entira.

Caring Communities also said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.”

Caring Communities said it replaced Netgain as its hosting provider and migrated its environment to another service provider after being notified about the data breach and the same steps are being taken to improve security. Affected individuals have similarly been offered credit monitoring and identity theft protection services through IDX. It is currently unclear how many individuals have been affected. The notification letters also refer to the recent cyberattack on Netgain and do not mention when the attack occurred nor why there was such a long delay in issuing notification letters.

The post Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack appeared first on HIPAA Journal.