Entira Family Clinics notifies of data breach one year later

Featured image

Share this article

Entira Family Clinics logo

Entira Family Clinics of Minnesota recently disclosed a data breach a year after the breach initially occurred. The original breach was caused by the Netgain ransomware attack at the end of 2020.

RELATED: MultiCare in Washington state suffers another data breach

HIPAA requires covered entities and their business associates such as Netgain to demonstrate due diligence when it comes to safeguarding protected health information (PHI). This includes establishing strong cyber protections like HIPAA compliant email.

But it also includes the accurate and timely reporting of breaches, something that Entira may not have accomplished.

The initial breach

According to Entira’s recent breach notification letter:

Netgain is a third-party entity that offers hosting and cloud IT solutions primarily for the healthcare and accounting industry. Entira, along with thousands of other healthcare entities, retained Netgain for online hosting of its environment, including cloud services and e-mail. Netgain was the target of a cybersecurity incident.

SEE ALSO: CSA offers guidance on preventing ransomware in the healthcare cloud

The breach affected hundreds of thousands of individuals at Allina Health’s Apple Valley Clinic, San Ysidro Health, SAC Health Systems, San Diego Family Care, and Elara Caring, among others.

The Entira investigation revealed that the cyberattacker accessed such PHI as names, addresses, Social Security Numbers, and medical histories. Entira notes that there is no evidence to indicate PHI “has been or will be misused,” and that the family clinic “decided to notify [the affected] of this incident out of an abundance of caution.”

Interestingly, the notification letter does not mention when the breach occurred or when Netgain informed the clinic of the incident.

The Maine Attorney General’s Office states that the Entira breach impacted 199,628 individuals. The March 2, 2021 listing on the U.S. Office for Civil Rights’ (OCR) Breach Notification Portal states 1,975 individuals.

HIPAA compliance: breach notification

HIPAA (the Health Insurance Portability and Accountability Act) is a 1996 U.S. law that protects the rights and privacy of patients by introducing standards to healthcare. Understanding and implementing HIPAA and its rules is fundamental to avoiding both a breach and a HIPAA violation.

SEE ALSO: What to do after you violate HIPAA

Unfortunately, cyberattackers target the healthcare industry, which is why compliance with HIPAA’s guidelines is crucial.

RELATEDWhy is healthcare a juicy target for cybercrime?

Included in HIPAA is the Breach Notification Rule (2009). The rule makes it mandatory for healthcare providers to appropriately report all PHI breaches. Data breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).

Essentially, complying with breach notification laws provides affected individuals with adequate warning in case they need to monitor their credit.

Entira’s 2022 breach notification

The original Netgain ransomware attack occurred between November 24 and December 3, 2020, though access may go as far back as September 2020.

RELATED: Ransomware is more common in healthcare than you think

Entira reported the incident to some state and federal agencies in March 2021 and included:

  • The date Netgain notified Entira (December 20, 2020)
  • The facts of the cybersecurity incident
  • PHI stolen during the incident
  • What the investigation discovered

So why did the breach notification come over a year later? Language within a January 13, 2022 letter sent to patients in Maine states that Entira “recently discovered” the breach. Entira did not include the actual date even though the information is required by the Breach Notification Rule.

Hopefully the reason for the discrepancy will come to light after the OCR investigation. It should be noted that Entira was not the only covered entity to notify affected individuals late.

HIPAA compliance: always employ strong cybersecurity

The best way to avoid a breach, HIPAA violation, and OCR fine is to comply with all state and federal regulations. This includes not only breach notification rules, but also all guidelines on cybersecurity measures.

RELATED: Your cybersecurity strategy is probably lacking

What does this look like? Measures should include:

Finally, strong email security (i.e., HIPAA compliant email) keeps ransomware from becoming an issue in the first place. Our patented HITRUST CSF certified solution Paubox Email Suite Plus uses needed encryption on all outgoing emails.

RELATEDWhy healthcare providers should use HIPAA compliant email

Moreover, messages can be sent from an existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior. No need for extra passwords, logins, or patient portals for safe communication.

Our patent-pending Zero Trust Email feature even adds an AI-powered proof of legitimacy to all inbound emails before they are delivered.

HIPAA compliance is about knowing, understanding, and implementing all factors of HIPAA. That includes following the Breach Notification Rule as much as utilizing robust cybersecurity.

Try Paubox Email Suite Plus for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022