The Non-Financial Ledger

There is a family in Riverside, California. A mother named Misty Meier took her child, identified in court documents only as G.C-M., to Neighborhood Healthcare for medical care. That child’s name, date of birth, address, insurance information, the name of their doctor, and their treatment codes were all entrusted to that clinic. The clinic, in turn, handed that data to Netgain Technology because Netgain promised it had better security than a hospital could build on its own. On April 8, 2021, Misty Meier received a letter telling her that her child’s private medical information had been stolen. Netgain offered free credit monitoring as a remedy. Credit monitoring is useless for a child who has never had a credit account. The child cannot enroll. The data, however, can sit in a criminal’s hands for years, ready to be used the moment the child turns eighteen and tries to take out a student loan, apply for an apartment, or open a bank account. The theft has already happened. The consequences have not yet fully arrived.

Then there is Mark Kalling of Las Vegas, Nevada. He had two surgeries at Nevada Orthopedic and Spine Center. His body had already been through enough. On February 24, 2021, months after the breach began, he received a letter telling him that his Social Security number, date of birth, billing information, driver’s license details, biometric information from that license, insurance card data, and his complete surgical history had been stolen. In the weeks and months that followed, at least four credit card fraud alerts landed in his inbox. He spent over thirty hours of his own time, unpaid, unthanked, and uncompensated, calling banks, disputing transactions, monitoring accounts, and trying to repair what a company he never chose, never spoke to, and never consented to hold his data had broken. He will be doing this, in some form, for years. The lawsuit that bears his name will resolve before his risk does.

Thomas Lindsay of St. Paul, Minnesota was not even notified automatically. He found out about the breach only because he called Apple Valley Medical Clinic to ask about it himself. He had to go looking for the news that his own private data had been stolen. When the clinic finally sent him a letter on March 26, 2021, he spent his own time signing up for credit monitoring, then got on the phone with both his bank and his investment manager to explain what had happened and what they should watch for. He looped in his wife. He did the work that Netgain was paid $32.35 million a year to do.

Robin Guertin of Manning, South Carolina is a patient of Sandhills Medical Center. She received her breach notification letter on March 5, 2021. She signed up for a year of Identity Force credit monitoring out of her own pocket. Every single month after that letter arrived, she manually reviewed her banking records looking for charges that should not be there. She changed every password on every account she owned. She turned her digital life inside out to compensate for someone else’s negligence. None of that time is billable. None of that anxiety is quantifiable. None of it was her fault.

Jane Doe, a San Diego County resident identified by a pseudonym in the court filing, trusted a community health center with her most personal information: her name, her Social Security number, her date of birth, her diagnoses, her treatment records, the name of her doctor, and her treatment cost information. The fact that her name is hidden in this lawsuit while Netgain’s name is published in federal court documents is not irony. It is the correct ordering of shame.

And somewhere in the affected records are the files of patients at Ramsey County, Minnesota, which means government records. People whose mental health histories, addiction treatment records, or social service interactions were stored on Netgain’s servers. People who trusted that system not because they had a choice, but because they needed help and that is where they had to go to get it.

A former Netgain client called Caravus had ended its contract with Netgain before the breach happened. They thought they were done. They were not. Netgain had kept their data sitting on an old server, unencrypted, for more than five years after the contract ended. When the hackers came, that old, forgotten, never-deleted data was right there waiting for them. Caravus’s clients did not find out until May 28, 2021, nearly eight months after the attack began.

These are not statistics. These are people who went to the doctor, trusted a government office, or hired an accountant. They did nothing wrong. A company in St. Cloud, Minnesota sold the promise of protection, collected the money, skipped the work, and then, when it all collapsed, posted blog entries suggesting its own clients bore partial responsibility for the theft of their patients’ most private information.

How It Happened: The Breach Timeline

The attack on Netgain’s systems unfolded over months, while victims went about their lives knowing nothing. The gap between when the breach started and when the last victims were notified stretches across nearly a full year.

• September 2020: Attackers used compromised credentials to enter Netgain’s environment. Domain controllers managing networks of thousands of servers were targeted. Data exfiltration began.
• Late November 2020: Netgain internally discovered the breach. The company began taking client services offline and disabling network pathways to contain the ransomware. The company did not immediately notify the public or most clients.
• January 2021: Netgain began notifying client organizations. Individual victims did not receive letters until February, March, April, and May 2021, meaning some people went four to seven months without knowing their data had been stolen.
• May 28, 2021: Former client Caravus was notified that its data, which should have been deleted after its contract ended years earlier, was exposed in the breach. The data had been sitting on Netgain’s servers unencrypted and undeleted for more than five years.
• August 24, 2021: LifeLong Medical Care in California’s Bay Area was notified, nearly eleven months after the attack began. Social Security numbers, diagnoses, and treatment records of LifeLong patients were among the compromised data.
• September 23, 2021: The consolidated class action complaint was filed in the U.S. District Court, District of Minnesota. At the time of filing, Netgain was still in the process of identifying all affected clients.

What Was Stolen: The Data Anatomy

Netgain held a “master key” to data across all of its clients. When the attackers got in, they did not just access one company’s records. They accessed everything Netgain touched across its entire client base.

• Personal identifying information stolen included full names, Social Security numbers, dates of birth, mailing and billing addresses, email addresses, telephone numbers, and driver’s license numbers including biometric data such as height, weight, organ donor status, and physical appearance as recorded on state-issued ID.
• Protected health information stolen included medical record numbers, health insurance policy and identification numbers, clinical notes, referral requests, laboratory reports, decision-not-to-vaccinate forms, immunization records, medical disclosure logs, diagnosis and treatment codes, billing codes, and the dates and locations of treatment.
• Financial information stolen included bank account numbers, bank routing numbers, patient billing information, treatment cost records, and insurance beneficiary numbers.
• The hackers targeted Netgain’s domain controllers, which managed networks of thousands of servers across multiple clients simultaneously. One breach point gave them access to all of it.
• Netgain paid an undisclosed ransom to the attackers in exchange for assurances the data would be deleted and not published or sold. No public information on the ransom amount was provided. Criminal promises are unenforceable, and there is no verified confirmation the data was destroyed.

Legal Receipts: What the Documents Prove

The court complaint and Netgain’s own published statements form a documented record of what the company claimed, what it knew, and what it admitted after the fact.

“Netgain advertised that ‘The Netgain Standard is included with every solution. Every time.’ The ‘Netgain Standard’ including, among other things, ‘Cybersecurity,’ where Netgain promised to ‘Safeguard [clients’] sensitive data from tomorrow’s threats with DoD-grade, ultra-secure protection.'”

— Consolidated Class Action Complaint, ¶34, Civil No. 21-cv-1210

• This establishes that “DoD-grade, ultra-secure protection” was a specific, deliberate marketing claim used to attract and retain clients in regulated industries. It was not vague aspiration; it was a core sales promise attached to a named product standard.
• The lawsuit argues this claim directly induced healthcare and accounting firms to hand Netgain custody of hundreds of thousands of people’s most sensitive records, based on the belief that Netgain had the security infrastructure to back up the claim. The breach proved it did not.

“Netgain’s cybersecurity page states that: ‘Hackers don’t sleep. But you can’ and, further, that ‘Our security approach enables you to meet-and often exceed-compliance requirements while providing your staff with secure access to the information they need to do their jobs.'”

— Consolidated Class Action Complaint, ¶35, Civil No. 21-cv-1210

• “Hackers don’t sleep. But you can” is a direct promise to clients that Netgain would handle vigilance on their behalf around the clock. The complaint documents that Netgain was not running around-the-clock threat detection at the time of the breach.
• After the breach was discovered, Netgain announced it was implementing a new “around-the-clock managed detection and response service.” The complaint notes that this type of system had been a standard security recommendation in the healthcare industry since at least 2013 and was not new technology. Netgain’s own advertisement described the service it was not yet running.

“Netgain identified ‘additional opportunities to strengthen [its] security posture’ and needed to ‘implement[] a number of . . . identified enhancements to [its] security posture . . . to progress a multi-pronged [security] approach[.]’ These measures purportedly included ‘deploy[ing] new tools, revised policies and enforcement procedures, and implement[ing] an advanced around-the-clock managed detection and response service for proactive threat monitoring.'”

— Consolidated Class Action Complaint, ¶49, citing Netgain’s own post-breach blog, March 24, 2021

• This is Netgain admitting, in its own words, that its security posture had identifiable gaps that required multiple enhancements after the breach. It confirms the pre-breach security was insufficient by the company’s own assessment.
• The phrase “multi-pronged approach” signals that Netgain was implementing security layers for the first time post-breach that should have been in place before it ever accepted custody of healthcare and financial data.
• The complaint specifically notes that the “new tools” Netgain announced were standard-issue recommendations from data security experts for years preceding the breach, including basic enterprise monitoring software available since 2013. These were not cutting-edge upgrades; they were overdue basics.

“For too long, managed service providers and technology partners (including us) have taken the stance of shielding our clients from the headaches, intricacies, and complications that a strong security stance involves. While it’s true that we can significantly reduce the burden of security on our clients and their teams, the responsibility is still shared. We owe it to our clients to ensure that they not only understand the steps we’re taking as their IT partner, but also the measures that require their active participation and consent.”

— Netgain’s own blog post, “What We Learned as a Ransomware Victim – So You Don’t Become One,” March 24, 2021 (cited in Complaint ¶71)

• This is the same company that sold the promise “Hackers don’t sleep. But you can” now, after the breach, telling its clients that security was always a shared responsibility. The contradiction is complete and documented.
• The complaint argues this constitutes an effort by Netgain to deflect blame onto its clients, who were healthcare and accounting firms with no cybersecurity expertise and who had hired Netgain specifically because they lacked that expertise.
• Netgain, not its clients, controlled its own servers, its own network architecture, its own monitoring tools, and its own hiring decisions. The complaint directly states Netgain was “disorganized, had an incredibly high rate of employee turnover, and had extensive problems meeting deadlines and addressing client concerns” in the period leading up to the breach. The clients had no visibility into any of this.

“Caravus’s investigation revealed that, despite having previously ending its contract with Netgain, Netgain’s servers still retained Caravus’s data from in or before 2016. As one security blogger put it: ‘for more than 5 years, [Caravus’s] data sat on an old server and Netgain never securely deleted it or encrypted it at rest[.]'”

— Consolidated Class Action Complaint, ¶44, Civil No. 21-cv-1210

• This establishes that Netgain’s failures extended to data governance and retention practices. The FTC’s own published guidance, cited in the complaint, explicitly requires businesses to properly dispose of personal information that is no longer needed. Netgain did not do this for at least five years after a client relationship ended.
• Caravus and its clients had no idea their data still existed on Netgain’s servers. They had no mechanism to check. This is the hidden cost of outsourcing data custody to a third party: you lose visibility into where your records actually live.

Who Was Connected: The Breach Network

Netgain’s IT services model meant that compromising one company gave attackers access to data from all of its clients simultaneously. This is the structural risk of centralized third-party data custody.

Societal Impact Mapping

When medical records are stolen from a healthcare IT provider, the damage extends past individual fraud. The security of the entire system people use to access care is compromised.

• Patient treatment records, clinical notes, diagnoses, lab results, referral requests, and immunization histories were among the data confirmed stolen. This means the most sensitive details of a person’s physical health history are now potentially in criminal hands with no guaranteed path to retrieval or destruction.
• Fraudsters with stolen medical records can use them to bill for procedures never performed, fill fraudulent prescriptions, or obtain medical care in a victim’s name. The victim’s actual medical records may then be contaminated with incorrect information that could lead to misdiagnosis or dangerous treatment decisions in future medical encounters.
• The complaint specifically notes that minor children’s data was included in the breach, including the health records of Plaintiff Meier’s child G.C-M. A child’s medical records stolen before they have the awareness or credit history to detect misuse can remain exposed for over a decade before the harm surfaces.
• Decision-not-to-vaccinate forms and immunization records were confirmed as part of the compromised health data. This category of information is particularly sensitive because it can reveal religious or philosophical beliefs that people have a right to keep private.
• Health Center Partners of Southern California serves community health centers, meaning many of its patients are lower-income individuals who rely on community clinics for primary care. These are people with the fewest resources to spend dozens of hours repairing identity theft damage.
• LifeLong Medical Care, one of the last organizations notified, provides health, dental, and social services in California’s San Francisco Bay Area. Its patient population includes individuals receiving social services, meaning the breach potentially exposed the records of some of the most vulnerable people in that region.
• According to the complaint, studies show one in four people who receive a data breach notification become victims of identity fraud. Applied to hundreds of thousands of breach victims here, that is a statistical certainty that tens of thousands of people will face concrete financial harm.

The financial burden of cleaning up Netgain’s security failure was shifted entirely onto the victims, most of whom had no knowledge Netgain even existed, let alone that it held their data.

• Victims were required to spend their own unpaid time and money on credit monitoring services, bank and investment manager consultations, account closures, new account openings, password resets, and ongoing monthly reviews of financial statements. Plaintiff Kalling alone spent over thirty hours on this work after his surgeries at Nevada Orthopedic and Spine Center.
• The complaint notes that victims of new account identity theft must spend time correcting fraudulent information in credit reports, closing and reopening accounts, disputing charges with creditors, and monitoring records for inaccuracies, potentially for years or decades. This is an ongoing tax on their time with zero compensation from the company that caused it.
• Netgain offered free credit monitoring as its primary remediation tool. This is worthless for minor children like G.C-M., who have no credit history to monitor. The company’s fix excluded one of the most vulnerable categories of its victims from the only relief it offered.
• Studies cited in the complaint value personal data privacy to U.S. consumers at approximately $30 to $44 per record. Netgain stripped that value from hundreds of thousands of people who received nothing in return and were never asked for consent.
• The complaint documents that dark web criminals sell infants’ Social Security numbers for $300 each, specifically for use in fraudulent tax returns. Children whose data was stolen in this breach face potential tax fraud before they ever file a return.
• Identity theft victims frequently face indirect costs including litigation initiated by creditors and the obstacles of obtaining or retaining credit and housing. These costs compound over time, creating a multi-year economic disruption for people who were patients at a community health clinic, not customers of a tech company.
• Victims in the COVID-19 pandemic period also faced the specific risk that stolen data could be used to fraudulently claim emergency stimulus payments, enhanced unemployment benefits, or other pandemic relief funds, diverting public money intended for people in crisis into criminal accounts.
• The FTC has noted that unauthorized Sensitive Information disclosures wreak havoc on consumers’ finances, credit history, and reputation, and can take time, money, and patience to resolve. None of the time, money, or patience required here was provided by the company that caused the harm.

The Cost of a Life: Netgain’s Math

What Now? Pressure Points and Next Steps

The structural failure here is specific and actionable. A third-party IT vendor with $32 million in revenue and nearly two decades of operation was running healthcare and financial data infrastructure without basic security tools, no data deletion practices for former clients, and no proactive breach notification system. Holding this kind of company accountable requires pressure on multiple fronts simultaneously.

Leadership Accountability

The complaint names Netgain Technology, LLC as the defendant. The specific individuals responsible for the company’s security decisions and post-breach communications are not identified by name in the source document. Key accountability targets include:

• The CEO and executive leadership of Netgain Technology, LLC who authorized the marketing claims of “DoD-grade” security while the company operated without around-the-clock monitoring, proper data deletion policies, or adequate staffing.
• Patrick Williamson, named in the complaint as the author of Netgain’s post-breach blog post where the company acknowledged security gaps and partially blamed its clients.
• [REDACTED – Not in Source]: The complaint does not identify Netgain’s Chief Information Security Officer or security team leadership. If this case proceeds to discovery, those names will be part of the public record.

Watchlist: Regulatory Bodies With Jurisdiction

• Federal Trade Commission (FTC): The complaint cites Section 5 of the FTC Act as the basis for the negligence per se claim. The FTC has pursued over fifty enforcement actions against businesses for failing to employ reasonable data security measures. This case fits the established pattern precisely. Report to: ftc.gov/complaint
• U.S. Department of Health and Human Services (HHS) Office for Civil Rights: HIPAA governs protected health information. Healthcare clients of Netgain were HIPAA-covered entities and their IT vendor’s breach triggers HIPAA breach notification rules. Report HIPAA violations at: hhs.gov/ocr/complaints
• California Attorney General: The CCPA violation claims are tied to California. California’s AG has specific enforcement authority over CCPA violations affecting California residents including Plaintiffs Meier and Doe.
• Minnesota Attorney General: Netgain is headquartered in St. Cloud, Minnesota. The Minnesota Health Records Act is cited as a cause of action in the complaint. The AG’s office has direct jurisdiction over a breach originating in the state.
• CISA (Cybersecurity and Infrastructure Security Agency): Ransomware attacks on healthcare infrastructure are a federal security priority. CISA maintains a ransomware reporting portal where these incidents can be logged to inform national threat intelligence.

Grassroots Resistance and Mutual Aid

• If you were a patient at any of the 15 confirmed affected organizations, check whether you received a breach notification letter. If you did not receive one and you believe your data was held by one of these providers, contact the provider directly and demand written confirmation of your breach status.
• Freeze your credit at all three bureaus. This is free under federal law and is the single most effective protection against new account fraud. Do it at Equifax, Experian, and TransUnion directly, not through a monitoring service that charges a monthly fee.
• File an IC3 complaint with the FBI’s Internet Crime Complaint Center (ic3.gov) if you have experienced fraud following a breach notification. The complaint notes that rapid reporting helps law enforcement stop fraudulent transactions before money is permanently lost.
• Parents of minors affected by this breach should place a credit freeze specifically on their child’s Social Security number. This is not automatic and requires a separate freeze request. Instructions are available directly from each credit bureau.
• Mutual aid networks in affected regions (Minneapolis-St. Paul, San Diego, Las Vegas, South Carolina, the San Francisco Bay Area) should include identity theft recovery in their resource directories. Community navigators and legal aid organizations that help people dispute fraudulent accounts provide essential support that no credit monitoring service can replace.
• Demand contract transparency from your healthcare provider. Ask your clinic, hospital, or dental office in writing who their third-party IT vendors are, what data those vendors hold, and what their data deletion policy is for former clients. Providers operating in regulated industries have a legal obligation to know the answer to each of those questions.
• Support the class action. The case is Civil No. 21-cv-1210 (SRN/LIB) in the United States District Court, District of Minnesota. Class members may be entitled to actual damages, statutory damages under California law of no less than $100 and up to $750 per record, and injunctive relief. Contact information for Interim Co-Lead Counsel is on file with the court: Chestnut Cambronne PA (Minneapolis) and Zimmerman Reed LLP (Minneapolis).