DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

Magnolia Pediatrics notifies patients of a security incident after OCR tells them it’s reportable

Posted on October 1, 2020October 1, 2020 by Dissent

Almost one year after Magnolia Pediatrics notified 11,000 patients about a ransomware attack on an unnamed IT vendor, they are now notifying more than 12,000 patients of another attack. This time, they wound up firing their vendor.

According to a notification on their web site, on March 26, the Magnolia Pediatrics discovered a security incident. Their IT vendor, LaCompuTech, investigated and reportedly told them that the only information that was compromised was the Master Boot Record, and that no patient information had been accessed, exfiltrated, or encrypted. According to Magnolia Pediatrics, LaCompuTech advised Magnolia that this was not a HIPAA breach and no notification to patients was required.

Why Magnolia would rely on their tech vendor for legal advice on their HIPAA obligations instead of calling their practice lawyer was not explained.

In any event, on September 11, OCR contacted Magnolia and informed them that this was a reportable incident because any individual who had the ability to encrypt the MBR had access to the entire server and therefore all the protected health information on it.

As a result, Magnolia Pediatric began contacting more than 12,000 patients — even though no protected health information was exfiltrated or copied or directly accessed.

The notification, reproduced below, does not explain how OCR became aware of the incident.  Nor does it indicate whether the vendor was the same vendor who had the ransomware attack in 2019 and who paid the ransom to resolve that one.

DataBreaches.net reached out to LaCompuTech to inquire whether they were the same vendor involved in the ransomware incident and will update this post if a response is received.

In any event, one takeaway from this one seems to be a reminder to have a lawyer who is knowledgeable about HIPAA to advise you on your obligations and to consult with them.

As of today’s date, neither of the practice’s two HIPAA incidents are  marked as closed by OCR.

Magnolia Pediatric_March 26 2020

Related Posts:

  • LA: Magnolia Pediatrics notifying patients after…
  • AR: Two men, including ex-employee of Magnolia bank,…
  • Grays Harbor Pediatrics notifies patients after…
  • WA: Grays Harbor Pediatrics Backup Device Stolen
  • Cyberattack: Houston-area school district…

Post navigation

← Northern California casino shut down by external computer attack
NY: Former Information Technology Employee Of Hospital Sentenced To 30 Months In Prison For Computer Intrusion →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Proliance Surgeons notifying 437,392 patients after ransomware attack earlier this year
  • After $50 Million Breach, KyberSwap Faces Hacker’s Shocking Demands
  • Hendersonville city employees target of cybersecurity breach
  • Ukrainian gets 8-year sentence for running marketplace for Americans’ data
  • Some city data was stolen during cyber breach; full scope remains unknown, Long Beach says
  • More than 1 million Michiganders affected by Welltok cyberattack
  • Line operator says 440,000 personal records leaked in data breach
  • Ransomware group ‘Black Basta’ has raked in more than $100 million -researchers

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net