- Editor's note: This article was updated on July 24, 2015.
Medical Informatics Engineering (MIE) announced last week that PHI was potentially exposed for patients of certain MIE clients.
MIE became aware of suspicious activity on one of its servers on May 26, according to a company statement. Affected clients include Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group. The information that was possible affected includes patient names, mailing addresses, email addresses, and dates of birth. Some patients may have also had Social Security numbers, lab results, dictated reports, and medical conditions exposed.
The company added that it does not collect or store financial information or credit card information, so that data would not have been affected in the incident.
“Medical Informatics Engineering immediately began an investigation to identify and remediate any identified security vulnerability,” the statement explained. “Medical Informatics Engineering’s team, including independent third-party forensics experts, has been working continuously to investigate the attack and enhance data security and protection.”
MIE referred to the incident as a “sophisticated cyber attack,” and said that the unauthorized access may have began on May 7, 2015.
NoMoreClipboard, a MIE subsidiary based in Indiana, was also affected by the cyber attack. NoMoreClipboard patients who used a NoMoreClipboard portal/personal health record may have been impacted by the data breach, according to a company statement. While it did not say how many individuals were affected, NoMoreClipboard encouraged all of its members to change their password for their NoMoreClipboard account.
“On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected NoMoreClipboard clients,” the company explained. “Affected individuals for whom we have a valid postal address will also be notified of this incident through U.S. mail. We will also be disclosing this incident to certain state and federal regulators.”
Indiana-based South Bend Medical Foundation (SBMF) utilizes “My Lab Results,” which is an external patient network portal provided by NoMoreClipboard. SBMF reported that the cyber security incident may have exposed some personally identifiable information for individuals who view their lab results through the NoMoreClipboard tool.
“We have been assured that this investigation will be completed by the end of the week,” SBMF said in a June 11 statement, “but at this time, it appears that only demographic information was compromised and no medical information, laboratory results or financial records have been compromised.”
MIE said that it will provide complimentary credit monitoring and identity protection services to affected individuals for two years.
It is currently unclear how many individuals are potentially affected by the MIE data breach, as well as the NoMoreClipboard portion of the cyber attack. Federal law dictates that regardless of the size of a PHI data breach, individual notification must take place without unreasonable delay or no later than 60 days following the breach discovery.
Moreover, Indiana state law requires “data base owners, state agencies, businesses, and organizations that collect and maintain personal information to notify [individuals] in the event of a security breach,” and that this must be done “without unreasonable delay.”
“The notification should provide enough detail so that you can be prepared to protect yourself against identity theft or fraud,” according to the Indiana Attorney General website. “Failure to comply with the notification requirement can result in a lawsuit by the Attorney General and an order to pay civil penalties of up to $150,000.00.”
UPDATE: Following its earlier reported PHI data breach, Medical Informatics Engineering (MIE) has begun contacting affected individuals, according to a statement made by the company. MIE reported that it has started the appropriate steps toward contacting the individuals affected by both the MIE data breach and the NoMoreClipboard data breach.
MIE began contacting the affected individuals on June 2, 2015, and have proceeded to contact them via mail on July 17, 2015. They plan to send letters to those patients whose valid postal addresses they have on file, and the company plans on having the notification letters sent out on or before July 25, 2015.
MIE also reports that they have contacted the appropriate federal regulators and consumer reporting agencies about the cyberattack, per federal law.