Thursday, April 18, 2024

The definitions of “recently” and “discovered” leave a lot to be desired

In March, 2021, Family Health Services MN d/b/a Entira Family Clinics notified the Maryland Attorney General’s Office that they had been impacted by the Netgain ransomware attack that affected more than one dozen covered entities and more than 1 million patients.

Entira’s external counsel’s letter of March 1, 2021, identified the dates upon which Netgain had first notified Entira of the incident (December 20, 2020) and then notified them that some of Entira’s data had been removed from the network by the threat actors (January 4, 2021). By the March 1 letter, Entira had already investigated to determine who had data potentially compromised, and what kind of information.

So why, on January 13, 2022, does Entira send a letter to patients in Maine that begins:

Entira Family Clinics is a family medicine practice with locations across Minnesota. We recently discovered that a data security incident on Netgain’s environment may have resulted in the unintentional exposure of your personal information. This letter contains additional information about the incident, our response to the incident, and steps you can take to protect yourself. Please be assured that Entira takes the protection and proper use of personal information very seriously, and we sincerely apologize for any inconvenience this may cause.

They “recently discovered?”  Recently?  Ten months after Maryland was notified, Maine residents first get notified?

This notification letter does not tell the recipient when the incident occurred when Entira was first notified about it, and when Entira first discovered any PHI was involved.  Why did Maryland residents get such detailed information but not Maine residents?

Recommended:  HTTP Fundamentals: Understanding the Basics of Web Communication

Now I grant you that there were apparently (only) nine Maine residents out of a total of 199,628 patients who needed to be notified about this breach, but this is still infuriating.

And if you are surprised to learn that almost 200,000 patients were impacted by this breach, rest assured that you didn’t miss anything. Entira reported this breach to HHS in March 2021 as impacting 1975 patients and there has been no update to that listing on HHS’s public breach tool.


Got o Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

We think you may enjoy reading, Polish DPA imposes a fine on Warsaw University of Technology

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates