Health records of 5.5 million US patients accessed in MIE breach

The Indiana Attorney General’s Office has launched an investigating into the recent breach suffered by Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard, which resulted in the potential compromise of personal and medical information of nearly 5.5 million US citizens (1.5 million Indiana residents and 3.9 million people in other states).

The company detected suspicious activity in one of their servers on May 26, 2015. They called in third party experts and the FBI Cyber Squad to help with the investigation.

They discovered that the unauthorized access to their network began on earlier that month, on May 7, and they managed to “shut down the attackers as they attempted to access client data.”

“While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering’s network has been affected,” the company noted.

“The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics.”

Some of the compromised data dates back to as far as 1997. A list of healthcare providers and radiology centers whose customers have been affected can be found here.

The company has sent out notifications about the breach to the affected individuals, and has offered them two years of credit monitoring and identity protection services at no cost.

They were also advised to review their credit reports and the explanation of benefits statements that they receive from their healthcare provider or health plan, to place a “fraud alert” on their file with the credit bureaus, and to place a security freeze on their credit reports.

Last week, Indiana Attorney General Greg Zoeller announced that his office will investigate whether the companies had appropriate safeguards in place to protect customers’ data.

“We are continuing to take steps to remediate and enhance the security of our systems,” MIE stated. “Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset.”