One of the breach notices that showed up in routine searches this morning was from Associated Eye Care Partners, LLC (“AEC”). The first sentence of the notification letter was:
We are contacting you to inform you of a data incident experienced by a third-party vendor for Associated Eye Care Partners, LLC (“AEC”).
My mind immediately jumped to Eye Care Leaders as the vendor.
I was wrong, though. The vendor was Netgain Technology.
Regular readers may recall that the Netgain Technology ransomware incident occurred in December 2020, and we started seeing reports from its covered entities in January 2021.
So why are we first still seeing reports from its covered entities in July 2022? What happened to the no later than 60 days from discovery deadline for notification? Was this Associated Eye Care Partners, LLC’s first report or was this just an update?
AEC’s notification does not reveal when Netgain first notified them of the breach. It simply states that “upon notification,” they began working and investigating, etc. In the course of its investigation, Netgain reportedly provided AEC with potentially impacted data sets, but again, AEC does not indicate when Netgain provided those sets. They simply report, “AEC then underwent an extensive data mining project to identify all impacted individuals, which was completed on May 16, 2022.”
Based on that last sentence, it appears that the July 8, 2022 notification may actually be its first disclosure. DataBreaches can find nothing on their website, nor any report to HHS. Perhaps this new notification will appear on HHS’s site in the near future, but for now, we do not have any numbers to report.
“The Abundance of Caution” Crap
The data were stolen by criminals. The presumption should be that they didn’t take the data just as a souvenir. They took the data to misuse it — maybe to pressure their victim to pay ransom, and/or maybe to sell the data or misuse it for fraudulent purposes. Either way, shouldn’t the presumption in a ransomware incident be that it is a reportable breach?
Like too many others, AEC tries to make it sound like notification is optional. They state that AEC “does not have any evidence to indicate that any of your personal information has been or will be misused as a result of this incident. Nevertheless, AEC decided to notify you of this incident out of an abundance of caution.”
It’s high time HHS and state attorneys general issued one warning to all entities to stop this misleading language. Entities should also be required to alert patients when data has been leaked on the internet following a breach, and if it has not been leaked, to at least alert patients to the very real possibility that it may be leaked by criminals at some later date.
You can read AEC’s notification, including their mitigation offer to those affected, on the Montana Attorney General’s website.
For its part, Netgain is still facing litigation over the 2020 incident. In March 2021, they issued blog posts, “What we learned as a ransomware victim – so you don’t become one.”
Update of July 15, 2022: This incident was reported to HHS by Associated Eye Care as impacting 40,793 patients.