Almost one year after Magnolia Pediatrics notified 11,000 patients about a ransomware attack on an unnamed IT vendor, they are now notifying more than 12,000 patients of another attack. This time, they wound up firing their vendor.

According to a notification on their web site, on March 26, the Magnolia Pediatrics discovered a security incident. Their IT vendor, LaCompuTech, investigated and reportedly told them that the only information that was compromised was the Master Boot Record, and that no patient information had been accessed, exfiltrated, or encrypted. According to Magnolia Pediatrics, LaCompuTech advised Magnolia that this was not a HIPAA breach and no notification to patients was required.

Why Magnolia would rely on their tech vendor for legal advice on their HIPAA obligations instead of calling their practice lawyer was not explained.

In any event, on September 11, OCR contacted Magnolia and informed them that this was a reportable incident because any individual who had the ability to encrypt the MBR had access to the entire server and therefore all the protected health information on it.

As a result, Magnolia Pediatric began contacting more than 12,000 patients — even though no protected health information was exfiltrated or copied or directly accessed.

The notification, reproduced below, does not explain how OCR became aware of the incident.  Nor does it indicate whether the vendor was the same vendor who had the ransomware attack in 2019 and who paid the ransom to resolve that one.

DataBreaches.net reached out to LaCompuTech to inquire whether they were the same vendor involved in the ransomware incident and will update this post if a response is received.

In any event, one takeaway from this one seems to be a reminder to have a lawyer who is knowledgeable about HIPAA to advise you on your obligations and to consult with them.

As of today’s date, neither of the practice’s two HIPAA incidents are  marked as closed by OCR.