The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Associated Eye Care Partners Issues Notifications About December 2020 Data Breach

Posted By on Jul 12, 2022

Montana-based Associated Eye Care Partners (AECP) has recently started notifying patients that their private health information was compromised in a data breach at a business associate that was detected in early December 2020.

The data breach in question occurred at Netgain Technology, which provided managed IT services to many organizations in the healthcare sector. Netgain Technology experienced a ransomware attack in which files containing sensitive data were stolen. Netgain paid the ransom to prevent any further disclosure of the stolen data and received assurances from the ransomware gang that the stolen data had been deleted.

Netgain Technology notified affected healthcare clients in January 2021, and those entities started to issue notification letters to affected patients over the next couple of months. While some affected healthcare clients took longer to issue notifications, it has now been 18 months since Netgain started notifying affected clients.

According to the AEC notification letter – dated July 8, 2022 – “Upon notification by Netgain to AEC, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further.” An extensive data mining project was then conducted to determine which individuals had been affected, and that process was completed on May 16, 2022.  After verifying contact information, notification letters were sent in July. AEC did not disclose when it was informed by Netgain about the data breach.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

AEC said names, addresses, Social Security numbers, and medical histories had been exposed and potentially stolen, but there have been no reports of any actual or attempted misuse of patient data as a result of the data breach. In response to the breach, AEC replaced Netgain as its hosting vendor, migrated all data to another service provider, and has taken steps to introduce further safeguards to prevent any similar attacks in the future. AEC has offered affected individuals complimentary credit monitoring services.

The Netgain data breach was reported separately by each affected client and is understood to have affected more than 1 million individuals. It is currently unclear how many AEC patients have been affected, as the incident has not yet appeared on the HHS’ Office for Civil Rights breach portal.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist