The definitions of “recently” and “discovered” leave a lot to be desired
In March, 2021, Family Health Services MN d/b/a Entira Family Clinics notified the Maryland Attorney General’s Office that they had been impacted by the Netgain ransomware attack that affected more than one dozen covered entities and more than 1 million patients.
Entira’s external counsel’s letter of March 1, 2021, identified the dates upon which Netgain had first notified Entira of the incident (December 20, 2020) and then notified them that some of Entira’s data had been removed from the network by the threat actors (January 4, 2021). By the March 1 letter, Entira had already investigated to determine who had data potentially compromised, and what kind of information.
So why, on January 13, 2022, does Entira send a letter to patients in Maine that begins:
Entira Family Clinics is a family medicine practice with locations across Minnesota. We recently discovered that a data security incident on Netgain’s environment may have resulted in the unintentional exposure of your personal information. This letter contains additional information about the incident, our response to the incident, and steps you can take to protect yourself. Please be assured that Entira takes the protection and proper use of personal information very seriously, and we sincerely apologize for any inconvenience this may cause.
They “recently discovered?” Recently? Ten months after Maryland was notified, Maine residents first get notified?
This notification letter does not tell the recipient when the incident occurred, when Entira was first notified about it, and when Entira first discovered any PHI was involved. Why did Maryland residents get such detailed information but not Maine residents?
Now I grant you that there were apparently (only) nine Maine residents out of a total of 199,628 patients who needed to be notified about this breach, but this is still infuriating.
And if you are surprised to learn that almost 200,000 patients were impacted by this breach, rest assured that you didn’t miss anything. Entira reported this breach to HHS in March, 2021 as impacting 1975 patients and there has been no update to that listing on HHS’s public breach tool.
Updated January 15: It appears Caring Communities Shared Services has sent the same letter to an unspecified number of people. Why it took them until now to notify people is unknown to this site and no listing could be found on HHS’s public breach tool.