data security

The definitions of “recently” and “discovered” leave a lot to be desired

In March, 2021, Family Health Services MN d/b/a Entira Family Clinics notified the Maryland Attorney General’s Office that they had been impacted by the Netgain ransomware attack that affected more than one dozen covered entities and more than 1 million patients.

Entira’s external counsel’s letter of March 1, 2021, identified the dates upon which Netgain had first notified Entira of the incident (December 20, 2020) and then notified them that some of Entira’s data had been removed from the network by the threat actors (January 4, 2021). By the March 1 letter, Entira had already investigated to determine who had data potentially compromised, and what kind of information.

So why, on January 13, 2022, does Entira send a letter to patients in Maine that begins:

Entira Family Clinics is a family medicine practice with locations across Minnesota. We recently discovered that a data security incident on Netgain’s environment may have resulted in the unintentional exposure of your personal information. This letter contains additional information about the incident, our response to the incident, and steps you can take to protect yourself. Please be assured that Entira takes the protection and proper use of personal information very seriously, and we sincerely apologize for any inconvenience this may cause.

They “recently discovered?”  Recently?  Ten months after Maryland was notified, Maine residents first get notified?

This notification letter does not tell the recipient when the incident occurred when Entira was first notified about it, and when Entira first discovered any PHI was involved.  Why did Maryland residents get such detailed information but not Maine residents?

Recommended:  Cybersecurity Statistics to know for 2022

Now I grant you that there were apparently (only) nine Maine residents out of a total of 199,628 patients who needed to be notified about this breach, but this is still infuriating.

And if you are surprised to learn that almost 200,000 patients were impacted by this breach, rest assured that you didn’t miss anything. Entira reported this breach to HHS in March 2021 as impacting 1975 patients and there has been no update to that listing on HHS’s public breach tool.


Got o Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

We think you may enjoy reading, Polish DPA imposes a fine on Warsaw University of Technology

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Latest posts by RiSec.n0tst3 (see all)
Recommended:  Is Your Brand New Computer Pre-Infected With Malware?
Share the word, let's increase Cybersecurity Awareness as we know it

8 thoughts on “The definitions of “recently” and “discovered” leave a lot to be desired”

  1. Pingback: Ukrainian Government Officially Accuses Russia of Recent Cyberattacks |

  2. Pingback: City of Tenino loses $280,309 to phishing email scam, state Auditor’s Office says |

  3. Pingback: New NCSC Guidance: Actions to take when the cyber threat is heightened |

  4. Pingback: Oracle Prepare to Release Nearly 500 Security Patches This Week |

  5. Pingback: Safari 15 Vulnerability Allows Cross-Site Tracking of Users |

  6. Pingback: Why You Should Use DNS Filtering On Public WiFi |

  7. Pingback: Beware Of New RDP Exploit, says Avast |

  8. Pingback: Cybersecurity Experts Concerns Over 2022 Beijing Olympics app |

Leave a Comment

Your email address will not be published. Required fields are marked *

RiSec Captcha + 15 = 21