DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

MNGI Digestive Health joins ranks of “late-notifiers,” finally notifying more than 767,000 patients of breach last summer

Posted on July 21, 2024 by Dissent

This seems to be the month in which many people affected by healthcare breaches in the summer of 2023 are first being notified individually (see, for example, reports on Southcoast Medical and Florida Community Health Centers).  Here’s a third one: 

MNGI Digestive Health was the victim of a cyberattack on August 20, 2023. They reportedly discovered the breach on August 25, 2023. On October 24, 2023, they notified HHS. However, it now seems that although HHS was notified of a breach in October, MNGI was not sending out notifications to affected patients then.

On July 15, MNGI notified the California Attorney General’s Office. Their notification letter to those affected stated that they learned on June 7, 2024 that the recipients’ personal and protected health information was potentially affected by the incident. A notice on MNGI’s website of the same date wrote (emphasis added by DataBreaches):

On June 7, 2024, MNGI identified that certain individuals’ personal and/or protected health information was potentially affected. The potentially affected information may include individuals’ names, Social Security numbers, driver’s license or state identification numbers, passport numbers, dates of birth, medical information and health insurance information, payment card information, and account numbers. On July 15, 2024, MNGI provided written notification of the incident via US mail to impacted individuals

So MNGI may have complied with the requirement to notify HHS within 60 days of discovery, but it was 11 months from discovery before they notified the 767,670 patients whose data was compromised by the AlphV (BlackCat) threat actors.

What happened to the data? Was the data recovered by law enforcement when they seized AlphV servers or is still in the wild or on some criminals’ server(s)? On September 30, 2023, AlphV had started leaking some of the data and threatened to leak the rest. MNGI’s letter is silent about any leak. On the contrary, it states, “Please note that MNGI has no evidence of the misuse or attempted misuse of any potentially impacted information.”

“No later than 60 days from discovery….”

In 2009, when HHS considered the notification timeliness requirements, perhaps 60 days from discovery of a breach seemed reasonable. Perhaps they didn’t really anticipate attacks resulting in encryption of entire systems.

Each year, Protenus’s Breach Barometer analyzes the gap between a breach, its discovery, and its disclosure to regulators and those affected. While many HIPAA-covered entities appear to comply with the 60-day window, when one digs into the actual facts and chronology, it seems that in some cases, the seeming compliance is only “compliance” if the entity redefines “discovery” to the date they finished their investigation and found that PHI was involved.  But that is not how “discovery” is defined, and HHS OCR does not seem to really enforce timely notification compliance.

Should the 60-day “no later than” rule be amended if it is not realistic for entities to comply with it in the event of a ransomware attack that encrypts files? Or is the rule realistic, and entities need to be sure they have an incident response plan that will enable them to comply in the event of a breach?  And does HHS OCR just need to crack down on this issue like it has cracked down on access to records?

This post has focused on health data breaches at HIPAA-covered entities that are first notifying patients many months later than the regulations call for. DataBreaches notes that there are other entities that still haven’t even sent notifications after all this time or more (see, for example, the reports on Essen Medical Associates, North Shore Medical Labs, Henrietta Johnson Medical Center, and EqualizeRCM). In addition, the following never updated initial “marker” reports to HHS since early 2023: Senior Choice, Inc., The Pavillion at Health Park, LLC, South Jersey Behavorial Health Resources, Inc., Unified Operations Virginia LP, Public Health Management, and Paramedic Billing Services. And Minuteman Senior Services has yet to update a report to HHS from January 2023 about an incident in November 2022. How many patients have never been notified as yet about breaches in the first half of 2023?

This is not the first time DataBreaches has raised the issue of whether the “no later than 60 days” rule should be either amended or enforced more rigorously. But until something changes, this site will continue to raise the issue.

Category: Breach IncidentsHackHealth Data

Post navigation

← Hacked in 2022, Dell & Dean law firm first notifying affected clients now
Suffolk County cyberattack recovery costs hit $25M; final tab still being tallied →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.