Associated Eye Care Partners Issues Notifications About December 2020 Data Breach
Montana-based Associated Eye Care Partners (AECP) has recently started notifying patients that their private health information was compromised in a data breach at a business associate that was detected in early December 2020.
The data breach in question occurred at Netgain Technology, which provided managed IT services to many organizations in the healthcare sector. Netgain Technology experienced a ransomware attack in which files containing sensitive data were stolen. Netgain paid the ransom to prevent any further disclosure of the stolen data and received assurances from the ransomware gang that the stolen data had been deleted.
Netgain Technology notified affected healthcare clients in January 2021, and those entities started to issue notification letters to affected patients over the next couple of months. While some affected healthcare clients took longer to issue notifications, it has now been 18 months since Netgain started notifying affected clients.
According to the AEC notification letter – dated July 8, 2022 – “Upon notification by Netgain to AEC, we worked with our information technology (IT) support team and engaged a law firm specializing in cybersecurity and data privacy to investigate further.” An extensive data mining project was then conducted to determine which individuals had been affected, and that process was completed on May 16, 2022. After verifying contact information, notification letters were sent in July. AEC did not disclose when it was informed by Netgain about the data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
AEC said names, addresses, Social Security numbers, and medical histories had been exposed and potentially stolen, but there have been no reports of any actual or attempted misuse of patient data as a result of the data breach. In response to the breach, AEC replaced Netgain as its hosting vendor, migrated all data to another service provider, and has taken steps to introduce further safeguards to prevent any similar attacks in the future. AEC has offered affected individuals complimentary credit monitoring services.
The Netgain data breach was reported separately by each affected client and is understood to have affected more than 1 million individuals. It is currently unclear how many AEC patients have been affected, as the incident has not yet appeared on the HHS’ Office for Civil Rights breach portal.