Paubox blog: HIPAA compliant email made easy

Entira Family Clinics notifies of data breach one year later

Written by Kapua Iao | January 24, 2022

Entira Family Clinics of Minnesota recently disclosed a data breach a year after the breach initially occurred. The original breach was caused by the Netgain ransomware attack at the end of 2020.

RELATED: MultiCare in Washington state suffers another data breach

HIPAA requires  covered entities and their  business associates such as Netgain to demonstrate due diligence when it comes to safeguarding  protected health information (PHI).

This includes establishing strong cyber protections like HIPAA compliant email. But it also includes the accurate and timely reporting of breaches, something that Entira may not have accomplished.

 

The initial breach

 

According to Entira’s recent breach notification letter:

Netgain is a third-party entity that offers hosting and cloud IT solutions primarily for the healthcare and accounting industry. Entira, along with thousands of other healthcare entities, retained Netgain for online hosting of its environment, including cloud services and e-mail. Netgain was the target of a cybersecurity incident.

SEE ALSO: CSA offers guidance on preventing ransomware in the healthcare cloud

The breach affected hundreds of thousands of individuals at Allina Health’s Apple Valley Clinic, San Ysidro Health, SAC Health Systems, San Diego Family Care, and Elara Caring, among others.

The Entira investigation revealed that the cyberattacker accessed such PHI as names, addresses, Social Security Numbers, and medical histories. Entira notes that there is no evidence to indicate PHI “has been or will be misused,” and that the family clinic “decided to notify [the affected] of this incident out of an abundance of caution.”

Interestingly, the notification letter does not mention when the breach occurred or when Netgain informed the clinic of the incident. The Maine Attorney General’s Office states that the Entira breach impacted 199,628 individuals. The March 2, 2021 listing on the U.S. Office for Civil Rights’ (OCR) Breach Notification Portal states 1,975 individuals.

 

HIPAA compliance: breach notification

 

HIPAA (the Health Insurance Portability and Accountability Act) is a 1996 U.S. law that protects the rights and privacy of patients by introducing standards to healthcare. Understanding and implementing HIPAA and its rules is fundamental to avoiding both a breach and a HIPAA violation.

SEE ALSO: What to do after you violate HIPAA

Unfortunately, cyberattackers target the healthcare industry, which is why compliance with HIPAA’s guidelines is crucial.

RELATEDWhy is healthcare a juicy target for cybercrime?

Included in HIPAA is the  Breach Notification Rule (2009). The rule makes it mandatory for healthcare providers to appropriately report all PHI breaches. Data breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).

Essentially, complying with breach notification laws provides affected individuals with adequate warning in case they need to monitor their credit.

 

Entira’s 2022 breach notification

 

The original Netgain ransomware attack occurred between November 24 and December 3, 2020, though access may go as far back as September 2020.

RELATED: Ransomware is more common in healthcare than you think

Entira reported the incident to some state and federal agencies in March 2021 and included:

 

  • The date Netgain notified Entira (December 20, 2020)
  • The facts of the cybersecurity incident
  • PHI stolen during the incident
  • What the investigation discovered

 

So why did the breach notification come over a year later? Language within a January 13, 2022 letter sent to patients in Maine states that Entira “recently discovered” the breach. Entira did not include the actual date even though the information is required by the Breach Notification Rule.

Hopefully the reason for the discrepancy will come to light after the OCR investigation. It should be noted that Entira was not the only covered entity to notify affected individuals late.

 

HIPAA compliance: always employ strong cybersecurity

 

The best way to avoid a breach, HIPAA violation, and OCR fine is to comply with all state and federal regulations. This includes not only breach notification rules, but also all guidelines on cybersecurity measures.

RELATED: Your cybersecurity strategy is probably lacking

What does this look like? Measures should include:

 

 

Finally, strong email security (i.e., HIPAA compliant email) keeps ransomware from becoming an issue in the first place. Our patented  HITRUST CSF certified solution  Paubox Email Suite Plus uses needed encryption on all outgoing emails.

RELATEDWhy healthcare providers should use HIPAA compliant email

Moreover, messages can be sent from an existing email platform (e.g.,  Microsoft 365 and  Google Workspace), requiring no change in email behavior. No need for extra passwords, logins, or  patient portals for safe communication.

Our patent-pending  Zero Trust Email feature even adds an AI-powered proof of legitimacy to all inbound emails before they are delivered. HIPAA compliance is about knowing, understanding, and implementing all factors of HIPAA. That includes following the Breach Notification Rule as much as utilizing robust cybersecurity.

 

Try Paubox Email Suite Plus for FREE today.