Few details of the Medical Informatics Engineering cyberattack were announced in June when the news of the data breach first surfaced; now, 6 weeks on, further information about the MIE data breach has now been released.
Medical Informatics Engineering Cyber Attack Created 3.9 Million Victims
There has been much speculation about the total number of individuals affected over the previous weeks. It has taken some time for all of the affected individuals to be identified, but now the incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights, the scale of the attack has been confirmed.
The OCR’s “Wall of Shame” shows that 3,900,000 individuals have been affected by the Medical Informatics Engineering cyberattack, making it one of the biggest healthcare data breaches of 2015. The data breach lasted for 19 days, during which time hackers were able to access all patient health data stored on the system. Access to data first started on May 7, 2015, with the breach being detected, and access blocked, on May 26.
The attack affected clients that used the company’s NoMoreClipboard service, which number 239 healthcare providers and physicians. Some healthcare providers suffered more than others. Concentra for instance, had the records of 10,000 of its patients exposed. Residents of the state of Indiana were hit the hardest, with 1.5 million Hoosiers having their Protected Health Information (PHI) exposed in the attack.
Indiana state attorney general, Greg Zoeller, recently alerted state residents to the high risk they now face, warning them that their identities could be stolen, and may already have been. He suggested all 1.5 million place fraud alerts on their credit as a precaution.
Patients Affected by the Medical Informatics Engineering Cyberattack Have now Been Notified
The hackers were able to gain access to, and copy, a considerable amount of data on patients, including their full names, contact details, Social Security numbers and dates of birth. In some cases, the name of their spouse – and some spouse information – was also compromised. Login names and hashed passwords were revealed, along with security questions and answers. The data exposed would allow the hackers to either use, or sell on, information that could be used to file false tax returns, obtain credit in the names of victims, and steal identities.
The media announcement of the data breach – a requirement under HIPAA Rules – came relatively quickly; however patients had to wait a considerable amount of time to receive notification letters. According to a press release issued by MIE, “On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected NoMoreClipboard and Medical Informatics Engineering clients.” The mailing has now finished, according to the statement. “On July 17, 2015, we began mailing notice letters to affected individuals for whom we have a valid postal address through U.S. mail, and we expect those letters to be mailed on or before July 25, 2015.”
Breach Notification Letters Delayed to Avoid Confusion
The reason provided for the delay in sending notification letters was due to the scale and complexity of the breach. First MIE had to notify the individual healthcare providers about the patients that had been affected, and a considerable amount of cross checking was required, as some patients had visited more than one healthcare provider. MIE wanted to prevent patients from receiving multiple notification letters about the breach, as it was believed this would have caused confusion.
Due to the high risk of harm and damage being suffered as a result of the Medical Informatics Engineering cyberattack, patients are being offered two years of credit monitoring and protection services rather than the minimum 12 months of cover. They have also been added to an insurance policy that will cover any losses – up to $1 million.
Since the data breach occurred almost two months ago, the perpetrators have had plenty of time to use the data. Patients are therefore urged to sign up for the risk mitigation services offered at the earliest opportunity, in addition to obtaining credit reports from Experian, Equifax and TransUnion.
Co-Founder and COO of Medical Informatics Engineering, Eric Jones, issued a statement about the breach explaining that the company is sorry for the inconvenience caused, and explained that efforts are being made to reduce the risk of similar incidents occurring in the future. He said, “Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset.”