Associated Eye Care Partners Issues Notifications About December 2020 Data Breach

Montana-based Associated Eye Care Partners (AECP) has recently started notifying patients that their private health information was compromised in a data breach at a business associate that was detected in early December 2020.

The data breach in question occurred at Netgain Technologies, which provided managed IT services to many organizations in the healthcare sector. Netgain Technologies experienced a ransomware attack in which files containing sensitive data were stolen. Netgain paid the ransom to prevent any further disclosure of the stolen data and received assurances from the ransomware gang that the stolen data had been deleted.

Netgain Technologies notified affected healthcare clients in January 2021, and those entities started to issue notification letters to affected patients over the next couple of months. While some affected healthcare clients took longer to issue notifications, it has now been 18 months since Netgain started notifying affected clients.

According to the AEC notification letter – dated July 8, 2022 – “Upon notification by Netgain to AEC, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further.” An extensive data mining project was then conducted to determine which individuals had been affected, and that process was completed on May 16, 2022.  After verifying contact information, notification letters were sent in July. AEC did not disclose when it was informed by Netgain about the data breach.

Please see the HIPAA Journal Privacy Policy

AEC said names, addresses, Social Security numbers, and medical histories had been exposed and potentially stolen, but there have been no reports of any actual or attempted misuse of patient data as a result of the data breach. In response to the breach, AEC replaced Netgain as its hosting vendor, migrated all data to another service provider, and has taken steps to introduce further safeguards to prevent any similar attacks in the future. AEC has offered affected individuals complimentary credit monitoring services.

The Netgain Technologies’ data breach was reported separately by each affected client and is understood to have affected more than 1 million individuals. It is currently unclear how many AEC patients have been affected, as the incident has not yet appeared on the HHS’ Office for Civil Rights breach portal.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.