Entira Family Clinics of Minnesota recently disclosed a data breach a year after the breach initially occurred. The original breach was caused by the Netgain ransomware attack at the end of 2020.
RELATED: MultiCare in Washington state suffers another data breach
HIPAA requires covered entities and their business associates such as Netgain to demonstrate due diligence when it comes to safeguarding protected health information (PHI).
This includes establishing strong cyber protections like HIPAA compliant email. But it also includes the accurate and timely reporting of breaches, something that Entira may not have accomplished.
According to Entira’s recent breach notification letter:
Netgain is a third-party entity that offers hosting and cloud IT solutions primarily for the healthcare and accounting industry. Entira, along with thousands of other healthcare entities, retained Netgain for online hosting of its environment, including cloud services and e-mail. Netgain was the target of a cybersecurity incident.
SEE ALSO: CSA offers guidance on preventing ransomware in the healthcare cloud
The breach affected hundreds of thousands of individuals at Allina Health’s Apple Valley Clinic, San Ysidro Health, SAC Health Systems, San Diego Family Care, and Elara Caring, among others.
The Entira investigation revealed that the cyberattacker accessed such PHI as names, addresses, Social Security Numbers, and medical histories. Entira notes that there is no evidence to indicate PHI “has been or will be misused,” and that the family clinic “decided to notify [the affected] of this incident out of an abundance of caution.”
Interestingly, the notification letter does not mention when the breach occurred or when Netgain informed the clinic of the incident. The Maine Attorney General’s Office states that the Entira breach impacted 199,628 individuals. The March 2, 2021 listing on the U.S. Office for Civil Rights’ (OCR) Breach Notification Portal states 1,975 individuals.
HIPAA (the Health Insurance Portability and Accountability Act) is a 1996 U.S. law that protects the rights and privacy of patients by introducing standards to healthcare. Understanding and implementing HIPAA and its rules is fundamental to avoiding both a breach and a HIPAA violation.
SEE ALSO: What to do after you violate HIPAA
Unfortunately, cyberattackers target the healthcare industry, which is why compliance with HIPAA’s guidelines is crucial.
RELATED: Why is healthcare a juicy target for cybercrime?
Included in HIPAA is the Breach Notification Rule (2009). The rule makes it mandatory for healthcare providers to appropriately report all PHI breaches. Data breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).
Essentially, complying with breach notification laws provides affected individuals with adequate warning in case they need to monitor their credit.
The original Netgain ransomware attack occurred between November 24 and December 3, 2020, though access may go as far back as September 2020.
RELATED: Ransomware is more common in healthcare than you think
Entira reported the incident to some state and federal agencies in March 2021 and included:
So why did the breach notification come over a year later? Language within a January 13, 2022 letter sent to patients in Maine states that Entira “recently discovered” the breach. Entira did not include the actual date even though the information is required by the Breach Notification Rule.
Hopefully the reason for the discrepancy will come to light after the OCR investigation. It should be noted that Entira was not the only covered entity to notify affected individuals late.
The best way to avoid a breach, HIPAA violation, and OCR fine is to comply with all state and federal regulations. This includes not only breach notification rules, but also all guidelines on cybersecurity measures.
RELATED: Your cybersecurity strategy is probably lacking
What does this look like? Measures should include:
Finally, strong email security (i.e., HIPAA compliant email) keeps ransomware from becoming an issue in the first place. Our patented HITRUST CSF certified solution Paubox Email Suite Plus uses needed encryption on all outgoing emails.
RELATED: Why healthcare providers should use HIPAA compliant email
Moreover, messages can be sent from an existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior. No need for extra passwords, logins, or patient portals for safe communication.
Our patent-pending Zero Trust Email feature even adds an AI-powered proof of legitimacy to all inbound emails before they are delivered. HIPAA compliance is about knowing, understanding, and implementing all factors of HIPAA. That includes following the Breach Notification Rule as much as utilizing robust cybersecurity.