Associated Eye Care Partners (AECP) based in Montana has lately begun informing patients about the compromise of their private health data because of a data breach at a business associate that was discovered at the beginning of December 2020.
The data breach happened at Netgain Technologies, which is a managed IT services provider to a lot of companies in the healthcare industry. Netgain Technologies encountered a ransomware attack whereby files that contain sensitive information were stolen. Netgain gave a ransom payment to avoid any more exposure of the stolen information and obtained guarantees from the ransomware group that it has deleted the stolen information.
Netgain Technologies informed the healthcare clients impacted by the breach in January 2021, and those entities began to send notification letters to impacted patients in the following few months. It’s now 18 months since Netgain Technologies began sending notifications, but a number of impacted healthcare clients took longer to send notifications.
Based on the July 8, 2022 AECP notification letter, the moment AECP received the notification from Netgain, it instructed its information technology (IT) support group and a law agency specialized in data privacy and cybersecurity to investigate the incident. A substantial data mining project was then performed to find out which people were impacted, and that process was finished on May 16, 2022. After confirming contact details, AECP sent notification letters in July. There is no mention by AECP when it received notification from Netgain concerning the data breach.
AECP stated names, addresses, medical records, and Social Security numbers were exposed and possibly stolen, however, there were no reports about any attempted or ctual patient data misuse resulting from the data breach. Because of the breach, AECP discontinued the hosting services provided by Netgain, transferred all data to a different service provider, and introduced additional safety measures to avoid any similar attacks later on. AECP has provided affected people with free credit monitoring services.
Each affected client reported the Netgain Technologies’ data breach separately and is known to have impacted over 1 million persons. It is presently unknown how many AECP patients were impacted since the incident is not yet posted on the HHS’ Office for Civil Rights breach website.