HIPAA requires covered entities and their business associates such as Netgain to demonstrate due diligence when it comes to safeguarding protected health information (PHI). This includes establishing strong cyber protections like HIPAA compliant email.
But it also includes the accurate and timely reporting of breaches, something that Entira may not have accomplished.
The initial breach
According to Entira’s recent breach notification letter:
Netgain is a third-party entity that offers hosting and cloud IT solutions primarily for the healthcare and accounting industry. Entira, along with thousands of other healthcare entities, retained Netgain for online hosting of its environment, including cloud services and e-mail. Netgain was the target of a cybersecurity incident.
The breach affected hundreds of thousands of individuals at Allina Health’s Apple Valley Clinic, San Ysidro Health, SAC Health Systems, San Diego Family Care, and Elara Caring, among others.
The Entira investigation revealed that the cyberattacker accessed such PHI as names, addresses, Social Security Numbers, and medical histories. Entira notes that there is no evidence to indicate PHI “has been or will be misused,” and that the family clinic “decided to notify [the affected] of this incident out of an abundance of caution.”
Interestingly, the notification letter does not mention when the breach occurred or when Netgain informed the clinic of the incident.
The Maine Attorney General’s Office states that the Entira breach impacted 199,628 individuals. The March 2, 2021 listing on the U.S. Office for Civil Rights’ (OCR) Breach Notification Portal states 1,975 individuals.
HIPAA compliance: breach notification
HIPAA (the Health Insurance Portability and Accountability Act) is a 1996 U.S. law that protects the rights and privacy of patients by introducing standards to healthcare. Understanding and implementing HIPAA and its rules is fundamental to avoiding both a breach and a HIPAA violation.
SEE ALSO: What to do after you violate HIPAA
Unfortunately, cyberattackers target the healthcare industry, which is why compliance with HIPAA’s guidelines is crucial.
Included in HIPAA is the Breach Notification Rule (2009). The rule makes it mandatory for healthcare providers to appropriately report all PHI breaches. Data breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).
Essentially, complying with breach notification laws provides affected individuals with adequate warning in case they need to monitor their credit.
Entira’s 2022 breach notification
The original Netgain ransomware attack occurred between November 24 and December 3, 2020, though access may go as far back as September 2020.
Entira reported the incident to some state and federal agencies in March 2021 and included:
- The date Netgain notified Entira (December 20, 2020)
- The facts of the cybersecurity incident
- PHI stolen during the incident
- What the investigation discovered
So why did the breach notification come over a year later? Language within a January 13, 2022 letter sent to patients in Maine states that Entira “recently discovered” the breach. Entira did not include the actual date even though the information is required by the Breach Notification Rule.
Hopefully the reason for the discrepancy will come to light after the OCR investigation. It should be noted that Entira was not the only covered entity to notify affected individuals late.
HIPAA compliance: always employ strong cybersecurity
The best way to avoid a breach, HIPAA violation, and OCR fine is to comply with all state and federal regulations. This includes not only breach notification rules, but also all guidelines on cybersecurity measures.
What does this look like? Measures should include:
- Consistent and up-to-date policies
- Employee awareness training
- Robust password policies and multifactor authentication
- Encryption at rest and in transit
- Firewalls and antivirus software
- Separate offline backup and storage systems
Finally, strong email security (i.e., HIPAA compliant email) keeps ransomware from becoming an issue in the first place. Our patented HITRUST CSF certified solution Paubox Email Suite Plus uses needed encryption on all outgoing emails.
Moreover, messages can be sent from an existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior. No need for extra passwords, logins, or patient portals for safe communication.
Our patent-pending Zero Trust Email feature even adds an AI-powered proof of legitimacy to all inbound emails before they are delivered.
HIPAA compliance is about knowing, understanding, and implementing all factors of HIPAA. That includes following the Breach Notification Rule as much as utilizing robust cybersecurity.