Back in January, this site noted that a ransomware attack on Netgain Technology LLC had impacted Ramsey County. Previous coverage of the Netgain Technology attack had reported that Netgain had stated that they were victims of a ransomware attack on November 24th, 2020 and
On December 4th, customers began receiving emails from Netgain stating that they may experience “system outages or slowdowns” due to a cyberattack on the hosting provider.
Now it appears that not everybody was notified on December 4 and the breach was much bigger than we may have thought.
On February 17, external counsel for Woodcreek Provider Services provided a detailed letter to Washington state’s attorney general. That statement reported that on January 4, 2021, Woodcreek Provider Services was notified that
Netgain’s systems had been compromised, but the impact on Woodcreek Provider Services data was unknown. Additional details about the incident were provided on January 14, 2021. At that time, Netgain reported a security incident that involved unauthorized access to portions of the Netgain environment which Netgain had discovered in late November 2020 but may have occurred as early as September 2020.
According to the letter from Barbra Nault of Studebaker|Nault, the threat actors reportedly deployed the ransomware on December 3, and data from Woodcreek was exfiltrated prior to that deployment.
Of note, Netgain reportedly paid the threat actors and
recovered Woodcreek Provider Services’ information. The type of ransomware and the amount of the payment were not disclosed, but counsel for Woodcreek wrote that Netgain had
received assurances that the attackers deleted the data and did not retain any copies. Netgain reported that through law enforcement channels and its cybersecurity expert’s engagements with this threat actor, Netgain was informed that once payment is made, the threat actors are not known to post the data nor keep any copies of it. As an added precaution, Netgain reported its cybersecurity experts continue to monitor for any signs that the data exfiltrated has been posted for sale, and that as of January 14, 2021, no such indications have been identified.
Assurances notwithstanding, Woodcreek appropriately began the process of processing the copy of the data set it received from Netgain on January 18 in preparation for mailing notifications.
The recovered data set reportedly included both “personal information” as defined by Washington statute and “protected health information” as defined under HIPAA.
The recovered data set included the following types of personal information from business records maintained by Woodcreek Provider Services: full names, dates of birth, social security numbers, student identification numbers, health insurance policy numbers, bank account numbers (from direct deposit forms and voided checks), resumes, transcripts, performance appraisals, criminal background check reports, court documents related to garnishments, court orders and decrees, copies of diplomas, degrees, board certifications, Drug Enforcement Agency certificates, payroll withholding authorizations for 401k elections and insurance deduction authorizations, benefit enrollment forms, payroll tax forms (W2s, W4s, 1095s, & K1s), and employee health information, including vaccination records, on-the-job injury reports and safety incident reports.
The recovered data set also included protected health information maintained by Woodcreek Provider Services, Woodcreek Healthcare and/or MultiCare Health System, including patient names and addresses, medical record numbers, dates of birth, insurance identification numbers, insurance claims information, explanation of benefits, statements, clinical notes, referral requests, laboratory reports, decision not to vaccinate forms, authorization requests for services, treatment approvals, records requests, immunization information, vaccine records, prescription requests, release of information forms, subpoena records requests, medical record disclosure logs, incident reports, invoices, correspondence with patients, and some medical records. The primary electronic medical records database was not affected by this incident.
For the data set, 557 persons needed to be notified of the personal information, and an additional group of 25,360 needed to be notified because their personal information was associated with individuals receiving services delivered by either Multicare Health System or Woodcreek Healthcare.
That would appear to be 25,360 Washington residents because later in the notification it says:
Woodcreek Provider Services is a business associate of MultiCare Health System as that relationship is defined in HIPAA and is also complying with the requirements of HIPAA in responding to this incident. An additional group of approximately 210,000 individuals will receive notification of this incident as required by HIPAA.
DataBreaches.net sent an email inquiry to Woodcreek to clarify the numbers being notified, and will update this post if a response is received.
The incident is not yet up on HHS’s breach tool.
Update of March 9: Woodcreek responded that they would not make any additional comment. So they apparently won’t clarify what their disclosure meant in terms of numbers — whether it was 210,000 or 235,000 or some other number. This could start a new trend in disclosures: write a confusing notification and then refuse to clarify what you wrote. In the meantime, we will wait to see what shows up on HHS’s public breach tool.
March 11: Woodcreek reported this to HHS on March 5 as impacting 207,000. Given that the number was smaller than their February 17 disclosure, it seems somewhat foolish of them not to respond to this site’s inquiry seeking clarification on the numbers. Why leave people thinking your breach impacted more people than it actually did when you have an opportunity to set the record straight?