Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack
Jan19

Entira Family Clinics and Caring Communities Send Notification Letters About Netgain’s 2020 Ransomware Attack

A Minnesota network of family medicine practices started notifying almost 200,000 patients that some of their personal and protected health information was potentially compromised in a cyberattack on a business associate more than a year ago. Entira Family Clinics explained in the notification letters, which were sent to affected individuals on January 13, 2022, that the breach occurred at Netgain Technologies, which provides hosting and cloud IT solutions to companies in the healthcare and accounting sectors. Entira Family Clinics used Netgain’s services for hosting and email. The healthcare provider said the information potentially compromised included names, addresses, Social Security numbers, and medical histories. In the notification letters, Entira said, “Upon discovery, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further. We have also stayed in close communication with Netgain and its breach counsel regarding Netgain’s incident response and forensic investigation.” The...

Read More
Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients
Jan19

Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients

Roanoke, VA-based Jefferson Surgical Clinic has started notifying patients that some of their protected health information has potentially been compromised in a cyberattack that was detected on June 5, 2021. According to the breach notification letter provided to the Maine Attorney General, the attacker gained access to parts of the network that contained patient data such as names, birth dates, Social Security numbers, and health and treatment information.  Jefferson Surgical Clinic promptly notified the Federal Bureau of Investigation about the breach and engaged third-party cybersecurity and forensics specialists to assist with the investigation. The investigation uncovered no evidence to suggest any patient data has been or will be misused as a result of the security breach; however, as a precaution against identity theft and fraud, Jefferson Surgical Clinic has offered affected individuals 12 months of complimentary credit monitoring and identity theft protection services. The Maine Attorney General was notified that the parts of the network accessed by the attacker contained...

Read More
HHS Releases Final Trusted Exchange Framework and Common Agreement
Jan19

HHS Releases Final Trusted Exchange Framework and Common Agreement

The Department of Health and Human Services’ Office of the National Coordinator for Health IT has released the final version of its Trusted Exchange Framework and the Common Agreement (TEFCA) – a governance framework for nationwide health information exchange. Two previous versions of TEFCA have been released, the first in 2018 and the second in 2019, with the final version taking into consideration feedback provided by healthcare industry stakeholders. TEFCA was a requirement of the 21st Century Cures Act and has been 5 years in the making. The announcement this week sees the HHS finally move into the implementation phase of TEFCA. The Trusted Exchange Framework is a set of non-binding foundational principles for health information exchange and outlines propositions for standardization, cooperation, privacy, security, access, equity, openness and transparency, and public health. The second component is the common agreement, which is a legal contract that a Qualified Health Information Network (QHIN) enters into with the ONC’s Recognized Coordinating Entity (RCE). The RCE, the...

Read More
December 2021 Healthcare Data Breach Report
Jan18

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020. Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009. Largest Healthcare Data Breaches in December 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware Monongalia Health System, Inc....

Read More
Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit
Jan17

Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack. In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs....

Read More