Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation

Posted by Steve Alder

Netgain Technology has agreed to settle consumer data breach litigation filed in response to a 2020 ransomware attack and data breach. Netgain will establish a $1.9 million settlement fund to cover claims from class members.

Netgain is a Minnesota-based cloud hosting and managed IT service provider with many clients in the healthcare industry. A ransomware group gained access to Netgain’s environment between September and December 2020 and deployed ransomware on November 24, 2020. The attack affected thousands of Netgain’s servers and forced it to take some of its data servers offline. The ransomware group was able to exfiltrate data in the attack, including the data of patients of its healthcare provider clients.  Data stolen in the attack included names, contact information, dates of birth, Social Security numbers, medical information, and financial information.

On May 13, 2021, plaintiffs Misty Meier and Jane Doe filed a class action complaint against Netgain, alleging their personally identifiable information (PII) and protected health information (PHI) were stolen in the attack. Further lawsuits were filed by plaintiffs Susan Reichert, Mark Kalling, Sherman Moore, Robert Smithburg, Thomas Lindsay, and Robert Guertin. On August 24, 2021, a federal judge consolidated the lawsuits into a single class action complaint – In Re: Netgain Technology, LLC, Consumer Data Breach Litigation – in the United States District Court for the District of Minnesota.

The lawsuit asserted several causes of action, some of which were dismissed; however, the causes of action for negligence and declaratory judgment were allowed to proceed, and a settlement has been negotiated that has received preliminary approval from the court.  Under the terms of the settlement, class members may submit claims for documented losses and lost time up to a maximum of $5,000 per class member, and after all payments have been made, any remaining funds in the settlement fund will be distributed pro rata among the class members.

Netgain has also agreed to injunctive relief for three years from the effective date of the settlement. Netgain has agreed to adopt, continue, or implement firewall upgrades, geo-blocking, routing through secured gateways, virus prevention technology across its data environment, multi-factor authentication in its hosting environments, backup data protection, and configure its network in a secure and scalable manner.

The post Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation appeared first on The HIPAA Journal.

Michigan House Passes Bill Requiring Medical Records to be Stored Domestically

Posted by Steve Alder

The Michigan House of Representatives has passed a bill (HB 4242) that seeks to protect the sensitive health data of state residents from foreign entities of concern by requiring electronic medical records to be stored in the United States or Canada.

If signed into law, Michigan residents will have peace of mind that their sensitive healthcare data will be protected from all foreign entities of concern on the federal watch list, namely The People’s Republic of China, the Russian Federation, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Republic of Cuba, the Venezuelan regime of Nicolas Maduro, and the Syrian Arab Republic.

The bill was introduced by Rep. Jamie Thompson (R) and requires licensees that use off-site physical or virtual environments for electronic medical records to ensure that the physical or virtual environment is physically maintained in a U.S. state or Canadian province, including if the medical records are maintained by a third-party medical records company.  If passed, healthcare regulatory compliance fines of up to $10,000 can be imposed if the failure was due to gross negligence or willful and wanton misconduct.

“Ensuring our health care record technology is physically maintained in the US or Canada, as my bill does, is a needed step Michigan should take to protect the personal and private health information of people we all represent,” explained Thompson. “Our adversaries abroad frequently try to compromise our national security and access information within our country. We should be updating our laws to reflect this reality and installing commonsense safeguards to protect residents.”

Under federal HIPAA law, healthcare providers are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; however, HIPAA does not require medical records to be maintained in the United States or Canada.

In 2023 and 2024, more than 700 large healthcare data breaches were reported to the HHS’ Office for Civil Rights, with large data breaches reported at a rate of more than two per day. “If these breaches come from a foreign adversary of the United States, the fallout could be profound,” Rep. Thompson said. “In addition, the lack of trust resulting from a privacy breach can cause patients to potentially withhold serious information that may help get them needed care. As a licensed practical nurse, I find this element very concerning as well.”

Several other bills have been introduced with requirements to protect data from foreign influence (House Bills 4233-35 and 4238-42). They include provisions that prevent foreign entities of concern from collecting sensitive information by blocking prohibited apps on government devices; prevent public bodies from entering into constraining agreements with foreign entities of concern; ensure public economic incentives are not awarded to foreign entities of concern; and prevent entities of concern from purchasing land and surveilling military bases and other critical infrastructure. The bills will now be considered by the Senate.

The post Michigan House Passes Bill Requiring Medical Records to be Stored Domestically appeared first on The HIPAA Journal.