DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Magnolia Pediatrics notifies patients of a security incident after OCR tells them it’s reportable

Posted on October 1, 2020 by Dissent

Almost one year after Magnolia Pediatrics notified 11,000 patients about a ransomware attack on an unnamed IT vendor, they are now notifying more than 12,000 patients of another attack. This time, they wound up firing their vendor.

According to a notification on their web site, on March 26, the Magnolia Pediatrics discovered a security incident. Their IT vendor, LaCompuTech, investigated and reportedly told them that the only information that was compromised was the Master Boot Record, and that no patient information had been accessed, exfiltrated, or encrypted. According to Magnolia Pediatrics, LaCompuTech advised Magnolia that this was not a HIPAA breach and no notification to patients was required.

Why Magnolia would rely on their tech vendor for legal advice on their HIPAA obligations instead of calling their practice lawyer was not explained.

In any event, on September 11, OCR contacted Magnolia and informed them that this was a reportable incident because any individual who had the ability to encrypt the MBR had access to the entire server and therefore all the protected health information on it.

As a result, Magnolia Pediatric began contacting more than 12,000 patients — even though no protected health information was exfiltrated or copied or directly accessed.

The notification, reproduced below, does not explain how OCR became aware of the incident.  Nor does it indicate whether the vendor was the same vendor who had the ransomware attack in 2019 and who paid the ransom to resolve that one.

DataBreaches.net reached out to LaCompuTech to inquire whether they were the same vendor involved in the ransomware incident and will update this post if a response is received.

In any event, one takeaway from this one seems to be a reminder to have a lawyer who is knowledgeable about HIPAA to advise you on your obligations and to consult with them.

As of today’s date, neither of the practice’s two HIPAA incidents are  marked as closed by OCR.

Magnolia Pediatric_March 26 2020
Category: Commentaries and AnalysesHackHealth DataOf NoteU.S.

Post navigation

← Northern California casino shut down by external computer attack
NY: Former Information Technology Employee Of Hospital Sentenced To 30 Months In Prison For Computer Intrusion →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.