Source

https://www.databreaches.net/woodcreek-provider-services-notifies-more-than-210000-patients-of-netgain-ransomware-incident/

backrest in January, this site noted that a ransomware tone-beginning on Netgain Technology had impacted Ramsey County. Previous coverage of the Netgain assail had reported that Netgain had stated that they were victims of a ransomware onslaught on november 24th, 2020 and On december 4th, customers began receiving emails from Netgain stating that they may experience “system outages or slowdowns” due to a cyberattack on the hosting provider. Now it appears that not everybody was notified on december 4 and the breach was much bigger than we may have thought. On February 17, external counsel for Woodcreek provider Services provided a detailed letter to washington state’s attorney general. That statement reported that on January 4, 2021, Woodcreek Provider Services was notified that Netgains systems had been compromised, but the impact on Woodcreek provider Services data was unknown. Additional details about the incident were provided on January 14, 2021. At that time, Netgain reported a security incident that involved unauthorized access to portions of the Netgain environment which Netgain had discovered in late November 2020 but may have occurred as early as September 2020. According to the letter from Barbra Nault of Studebaker|Nault, the terror actors reportedly deployed the ransomware on december 3, and data from Woodcreek was exfiltrated prior to that deployment. Of note, Netgain reportedly paid the threat actors and recovered Woodcreek provider Services information. The type of ransomware and the amount of the payment were not disclosed, but advocate for Woodcreek wrote that Netgain had received assurances that the attackers deleted the data and did not retain any copies. Netgain reported that through law enforcement channels and its cybersecurity experts engagements with this threat actor, Netgain was informed that once payment is made, the threat actors are not known to post the data nor hold any copies of it. as an added precaution, Netgain reported its cybersecurity experts continue to monitor for any signs that the data exfiltrated has been posted for sale, and that as of january 14, 2021, no such indications have been identified. Assurances notwithstanding, Woodcreek appropriately began the process of processing the copy of the data band it received from Netgain on January 18 in preparation for mailing notifications. The recovered data lot reportedly included both personal information as defined by washington statute and “protected health information” as defined under HIPAA. The recovered data circle included the following types of personal information from business records maintained by Woodcreek provider Services: full names, dates of birth, social security numbers, pupil identification numbers, health insurance policy numbers, bank account numbers (from direct deposit forms and voided checks), resumes, transcripts, performance appraisals, criminal desktop check reports, court documents related to garnishments, tribunal orders and decrees, copies of diplomas, degrees, gameboard certifications, Drug Enforcement Agency certificates, payroll withholding authorizations for 401k elections and insurance deduction authorizations, benefit enrollment forms, payroll tax forms (W2s, W4s, 1095s, & K1s), and employee health information, including vaccination records, on-the-job injury reports and safety incident reports. The recovered data localize also included protected health information maintained by Woodcreek provider Services, Woodcreek Healthcare and/or MultiCare Health System, including patient names and addresses, medical tape numbers, dates of birth, insurance identification numbers, indemnity claims information, explanation of benefits, statements, clinical notes, referral requests, laboratory reports, determination not to vaccinate forms, authorization requests for services, treatment approvals, records requests, immunization information, vaccine records, prescription requests, discharge of information forms, subpoena records requests, medical tape disclosure logs, incident reports, invoices, agreement with patients, and some medical records. The primary electronic medical records database was not affected by this incident. For the data set, 557 persons needed to be notified of the personal information, and an additional radical of 25,360 needed to be notified because their personal information was associated with individuals receiving services delivered by either Multicare Health system or Woodcreek Healthcare. That would appear to be 25,360 Washington residents because later in the notification it says: Woodcreek provider Services is a business associate of MultiCare Health System as that relationship is defined in HIPAA and is also complying with the requirements of HIPAA in responding to this incident. An additional group of approximately 210,000 individuals will receive notification of this incident as required by HIPAA. DataBreaches.net sent an email enquiry to Woodcreek to clarify the numbers being notified, and will update this post if a answer is received. The incident is not yet up on HHS’s transgress tool.