DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

MNGI Digestive Health joins ranks of “late-notifiers,” finally notifying more than 767,000 patients of breach last summer

Posted on July 21, 2024 by Dissent

This seems to be the month in which many people affected by healthcare breaches in the summer of 2023 are first being notified individually (see, for example, reports on Southcoast Medical and Florida Community Health Centers).  Here’s a third one: 

MNGI Digestive Health was the victim of a cyberattack on August 20, 2023. They reportedly discovered the breach on August 25, 2023. On October 24, 2023, they notified HHS. However, it now seems that although HHS was notified of a breach in October, MNGI was not sending out notifications to affected patients then.

On July 15, MNGI notified the California Attorney General’s Office. Their notification letter to those affected stated that they learned on June 7, 2024 that the recipients’ personal and protected health information was potentially affected by the incident. A notice on MNGI’s website of the same date wrote (emphasis added by DataBreaches):

On June 7, 2024, MNGI identified that certain individuals’ personal and/or protected health information was potentially affected. The potentially affected information may include individuals’ names, Social Security numbers, driver’s license or state identification numbers, passport numbers, dates of birth, medical information and health insurance information, payment card information, and account numbers. On July 15, 2024, MNGI provided written notification of the incident via US mail to impacted individuals

So MNGI may have complied with the requirement to notify HHS within 60 days of discovery, but it was 11 months from discovery before they notified the 767,670 patients whose data was compromised by the AlphV (BlackCat) threat actors.

What happened to the data? Was the data recovered by law enforcement when they seized AlphV servers or is still in the wild or on some criminals’ server(s)? On September 30, 2023, AlphV had started leaking some of the data and threatened to leak the rest. MNGI’s letter is silent about any leak. On the contrary, it states, “Please note that MNGI has no evidence of the misuse or attempted misuse of any potentially impacted information.”

“No later than 60 days from discovery….”

In 2009, when HHS considered the notification timeliness requirements, perhaps 60 days from discovery of a breach seemed reasonable. Perhaps they didn’t really anticipate attacks resulting in encryption of entire systems.

Each year, Protenus’s Breach Barometer analyzes the gap between a breach, its discovery, and its disclosure to regulators and those affected. While many HIPAA-covered entities appear to comply with the 60-day window, when one digs into the actual facts and chronology, it seems that in some cases, the seeming compliance is only “compliance” if the entity redefines “discovery” to the date they finished their investigation and found that PHI was involved.  But that is not how “discovery” is defined, and HHS OCR does not seem to really enforce timely notification compliance.

Should the 60-day “no later than” rule be amended if it is not realistic for entities to comply with it in the event of a ransomware attack that encrypts files? Or is the rule realistic, and entities need to be sure they have an incident response plan that will enable them to comply in the event of a breach?  And does HHS OCR just need to crack down on this issue like it has cracked down on access to records?

This post has focused on health data breaches at HIPAA-covered entities that are first notifying patients many months later than the regulations call for. DataBreaches notes that there are other entities that still haven’t even sent notifications after all this time or more (see, for example, the reports on Essen Medical Associates, North Shore Medical Labs, Henrietta Johnson Medical Center, and EqualizeRCM). In addition, the following never updated initial “marker” reports to HHS since early 2023: Senior Choice, Inc., The Pavillion at Health Park, LLC, South Jersey Behavorial Health Resources, Inc., Unified Operations Virginia LP, Public Health Management, and Paramedic Billing Services. And Minuteman Senior Services has yet to update a report to HHS from January 2023 about an incident in November 2022. How many patients have never been notified as yet about breaches in the first half of 2023?

This is not the first time DataBreaches has raised the issue of whether the “no later than 60 days” rule should be either amended or enforced more rigorously. But until something changes, this site will continue to raise the issue.

Category: Breach IncidentsHackHealth Data

Post navigation

← Hacked in 2022, Dell & Dean law firm first notifying affected clients now
Suffolk County cyberattack recovery costs hit $25M; final tab still being tallied →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.