Doctors Still In the Dark After Electronics Records Hack Exposes Data on 4 Million

A hack of the Indiana firm Medical Informatics Engineering has exposed medical information on millions of Americans, including 1.5 million in Indiana.
A hack of the Indiana firm Medical Informatics Engineering has exposed medical information on millions of Americans, including 1.5 million in Indiana.

In-brief: Four million patients of more than 230 hospitals, doctors offices and clinics had patient data exposed in a May attack on the Fort Wayne, Indiana firm Medical Informatics Engineering (MIE), according to the Indiana Attorney General.

Four million patients of more than 230 hospitals, doctors offices and clinics had patient data exposed in a May hack ofFort Wayne, Indiana firm Medical Informatics Engineering (MIE) and its NoMoreClipBoard electronic health records system, according to the Indiana Attorney General.

The breach affected 3.9 million people in total, 1.5 million in Indiana alone, almost a quarter of the state’s population, according to a statement by the Indiana Attorney General’s Office. The breach affects healthcare organizations from across the country. Healthcare providers ranging from prominent hospitals to individual physicians’ offices and clinics are among 195 customers of the NoMoreClipboard product that had patient information exposed in the breach.

However, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed, the Security Ledger has learned.

“We have received no information from MIE regarding that,” said a spokeswoman for Fort Wayne Radiology Association, one of hundreds of healthcare organizations whose information was compromised in the attack on MIE.

Calls and e-mail messages seeking comment from EMI were not returned.

Fort Wayne Radiology did not use the NoMoreClipboard health record system, but it did contract with EMI for so-called PACs (or picture archiving and communications systems), the spokeswoman said. PACs are used to store, analyze and distribute medical images, often in concert with EHR systems.

According to MIE’s statement, released on July 24, individuals who received services from Fort Wayne Radiology Association and a variety of other imaging and MRI centers were also compromised when a database relating to the healthcare providers was breached in the incident, MIE said. That contained data going back more 17 years and involved another 44 healthcare organizations in three states: Indiana, Ohio and Michigan.

But as of Friday, the medical imaging firm said it did not know exactly what customer data had been accessed or whether stored radiologic images and other information was exposed to hackers. Fort Wayne Radiology referred questions about the types of data exposed in the breach or the number of exposed patients to MIE.

Other affected firms appeared to be moving on, albeit with regret. “Our letters went out. I even received mine,” said Joleen Shuster, the Chief Financial Officer at Grisell Memorial Hospital, a small, local hospital serving around 600 residents in and around Ransom Kansas.

One hundred fifteen of Grisell’s patients had information exposed in the breach. But the hospital is part of a network of 28 hospitals that are part of the Great Plains Health Association. All used the NoMoreClipboard system, in part to help them comply with rules in the Affordable Care Act. All had patient data exposed in the hack, she said.

Shuster said Grisell had only be using NoMoreClipboard for around six months. The Kansas Health Information Network standardized on the hosted EHR system as the platform for its Affordable Care Act health portal, which left hospitals no choice but to adopt it for their patients, she noted.

“It’s one of those government mandates, you know? Get everyone on that patient portal,” Shuster said.

In contrast to internal security incidents, MIE has handled all communications with Grisell’s customers itself, Shuster said.

Still, Shuster said that MIE had been a good partner with Grisell: sending patients detailed breach notices and setting up an 800 number to answer questions. She said patients had come in with their letters and questions, but Shuster said she did not have any evidence of any patient information being used for identity theft or other scams.

At the Prince George’s County Health Department, another customer who was listed in EMI’s statement, Public Information Officer Dellia Williams said the Department had purchased the NoMoreClipBoard software, but hadn’t yet deployed it, so no patient data was exposed in the hack.

Indiana Attorney General Greg Zoeller in a statement Thursday urged Indiana residents to “freeze their credit” in the wake of the data breach. The state, which is home to MIE, was particularly hard hit, with 11 providers and 44 radiology centers in state impacted. “We are faced with yet another massive data breach putting countless Hoosiers at risk of identity theft and fraud,” Zoeller said. “People cannot sit back and assume they won’t become a victim of these crimes which are costly, time-consuming to fix and can have a long-term impact on your financial stability and credit. Everyone in Indiana should have a credit freeze in place to protect themselves from becoming a victim of identity theft and fraud.”

EMI first discovered evidence of a security compromise on May 26. An investigation, with the help of third-party forensics experts, revealed that the intrusion began on May 7, 2015, EMI said in June. The attackers made off with protected health information on some patients of some EMI clients. Data including the patients’ names, mailing addresses, email addresses and dates of birth were compromised. Other patients had additional information stolen included Social Security Numbers, lab results, dictated reports, and medical conditions.

However, it appears that not all users of EMI’s NoMoreClipBoard were exposed. Shuster of Grisell Memorial said that some users of the system had not received breach notices – presumably because their data had not been accessed. This is just the latest, large-scale attack on a healthcare organization, following attacks on healthcare providers Anthem and Premera and well as Community Health Services, among many others. It is also notable for coming by way of a third party and a provider of hosted electronic health records (EHR) software and services. Attacks on third party firms are becoming a favored approach for sophisticated attackers, who can often compromise the records of many companies at once.

“Attackers are going after our most sensitive data, which can be used to compromise consumer financial accounts, steal identities and as defraud the government,” said Eric Chiu, president & co-founder of HyTrust, which provides security software for cloud-based software firms. “Every healthcare firm, large and small, that stores patient data is at risk of a breach and more needs to be done to protect consumers against these cyberattacks,” he said in an email statement.

Spread the word!

14 Comments

  1. Pingback: Data of 4 Million Patients Lost in MIE Hacking - Transigram

  2. Could this be a Chinese-supported hack: The Department of the Army has civilians who may have been part of this breach. Just as with Anthem, yet another layer of people attached to our federal govt.

    • Olmstead Kenkaide

      Linda,

      Maybe Sony was really a Chinese-supported hack too — after all, the number of servicemen and women who are known gamers is truly large. Maybe Target was Chinese-supported, as a lot of military shop at Target and there was access to backend PII data on customers (supposedly). Maybe Michael’s (that craft shop) was repeatedly breached by the Chinese because everybody knows military spouses do a lot of arts and crafts, and what can be more demoralizing than going after them where it hits home the most: scrapbooking and beading?

      I think it’s probably fairly obvious by now to a lot of people that China poses a grave danger to the American way of life, both here and abroad, and if we don’t call them out on it, then who, indeed, will?

      We have to start somewhere, but where and how?

      Chinese food is widely enjoyed by the populace; perhaps a boycott on egg rolls, eggdrop soup, General Tsao’s chicken and moo shu pork is what’s needed to bring parity to this never-ending attribution war, or at least call attention to it? Might we start with dimsum?

      • Olmsted- I was not joking around. I don’t think Target or Home Depot has anything to do with this. Let’s be serious about this. Read some of Brian Krebs articles. Read more at Security Ledger. Cyber espionage is real. Whether it is China, Russia or a mid-Eastern country there are people looking into computers as we speak. Google NSA map of attacks and you will see. And to be real- they may not talk about it but I am sure we have hackers looking at computers in other countries as well.

        • Olmstead Kenkaide

          Of course hackers are real, and of course cyberespionage is real. I’m not debating those things. I’m debating this notion that (a) people believe they can attribute, and (b) people want to attribute to whomever they want to designate as the ‘bad guys’ at any given time. Why do you want to believe China did it? Why are people constantly repeating ‘China, Russia, North Korea, Middle Eastern country (name me 4 of them :))’? All of the attributions I’ve seen done have been an utter sham. What’s more, Brian Krebs doesn’t discuss ‘cyberespionage’ and bridles at the thought of the US committing the same. The truth is that EVERY country, most likely, has some sort of cyber capability. The truth is that some of them use it — but people don’t seem to be willing to do the REAL attribution work (mostly because they cannot; attribution is DIFFICULT and you don’t do it by looking at `strings` in someone’s code or ‘working hours’ like most of the crud I’ve seen passed as ‘research’. Why not blame the French? Or French Canadians? Or Germany? Or America? Or just plain garden variety hackers?

          Why do you believe you know attribution? Because you read blogs? Because you call yourself an identity theft specialist? I think it’s great that there are identity theft specialists out there (and I believe a lot of people need to learn how to recover from such things, not to mention prevent it and have good data/computing hygiene; from what I’ve seen that’s sorely, sorely lacking).

          It’s the fact that you aren’t joking that bothers me. I’m tired of people pulling out these bugaboos. I spend several hours a day researching (really researching) these things. I tear apart code. I read papers. I catch up on blogs and other peoples’ RE work. Yet I don’t yell ‘China!’ or ‘Russia!’ or ‘Middle eastern country!’ and there’s a reason for that: One of the best tools that APTs have is they know exactly what people will WANT to attribute things to. Why would you assume manipulation doesn’t go hand-in-hand with APT? Or even with regular hackers (for money, for fun, for sport, doesn’t matter)?

          BTW you do realise that that ‘NSA map of attacks’ is a joke, yes? Perhaps you ought to learn about proxying. I can guarantee you the gross majority of APT actors, if not all of them unless they feel like being sloppy, take advantage of it.

          Never forget that attribution can be used as a weapon, too — even if it’s just to get at your mind, or the mind of researchers.

          Hysteria isn’t the solution. Knowledge isn’t even the solution but it does cut down on hysteria. And your original comment sounded too much like ‘blame it all on xyz’, which, to me, is a form of hysteria. Hysteria, admittedly, sells (to people who want ideas, to companies, companies themselves, etc), but it has very little to do with reality.

          I never said anything about Home Depot. Everyone knows that was the Ukrainians. Everybody knows ALL economic hacking comes out of Russia and Ukraine, after all. <- That, by the way, was a bad joke. 😛

        • Olmstead Kenkaide

          Linda, sorry, my correction/addendum didn’t nest properly. Please make sure you see it as well (though you probably would have anyway, just a heads-up).

  3. Pingback: Doctors Still In the Dark After Electronics Records Hack – The Threat Vector

  4. Olmstead Kenkaide

    Mouse accident ate some of my comment. Continuation of ‘I think it’s great that there are identity theft specialists out there (parenthetical)’ is ‘but that doesn’t mean the skills overlap. They often don’t; in fact, they rarely do. The mindset of the attackers is totally different, and the mindset of a defender is different (especially if they’ve never been an attacker). Someone attacking something for financial gain and for political/military/economic (note, not financial) gain (which is to say, not smaller actors) have goals which are different; so do those who do it for the challenge, to protest, to mess with people (not a fan), and so forth. All of them have different levels of skills, but also different kinds of skills, too. Each has a different level of need for stealth and, crucially, a different understanding of what stealth is. A lot of things are different. Even exploitation methods tend to be different. Somebody who wants to, say, steal medical records may just have done it for kicks or a trophy (despite how disturbing that may sound), or for monetary purposes. This (especially the latter) is far more likely than someone stealing it for some sort of twisted plot to get medical information on servicemen. For that matter, most things are more likely than that. And that may fall more into your baliwick anyway. As an identity theft specialist, how do you feel about ‘credit monitoring services’ being used to protect that sort of PII? To me, it seems ridiculous. What’s more, in financial cases it often winds up rewarding the very sorts of companies that ‘claim a loss’ by getting paid to do what they do terribly anyway: protect people from identity theft. Yet none of those services can protect, or salvage, someone’s medical records. In your position that’s something I’d be railing more against, but that’s just me: How can we better protect healthcare records to begin with, and how can we ameliorate the violation? Maybe we just consider ‘they’ll just mine the data and come up with a mailing list to use to sell pharmaceuticals to’ (which is my *guess* — not an attribution, and just a guess at an MO) as relatively harmless, yet what if THOSE people get breached? Clearly something needs to be done earlier in the process, right?

    But as to attribution,’

    Sorry, quite a long reply. 🙂

    • My credentials stand for themselves. I have been studying cybercrime and identity theft since 1999. I have national awards for my work. I am a Ponemon Distinguished Fellow. I have spoken at Senate hearings, and still act as a consultant for several federal legislators.

      Having said that, do you know that the Department of the Army is based in Indiana? PHI and PII has value on the dark web but can also be used as leverage by various miscreants and others. Do we know who stolen this information? No- could even be an insider. However having read what the Indiana AG said we must take this seriously. It never hurts to explore possible scenerios. If we don’t then we never would have linked the many POS breaches.

      As to ID Theft Protection Services- their value is limited and companies offer this as because it has become commonplace even when it will not help at all as in POS breaches.

      Finally- have you heard of the Stuxnet computer virus that was used to attack Iran’s nuclear program in November 2007 and linked back to the US and Israel?

      • Olmstead Kenkaide

        Just because there has been an increase in the reporting of shark attacks in the news doesn’t mean there has been an increase of shark attacks themselves. That’s the sort of scrutiny I’m asking you to practice — because it’s crucial to weed out the cray-cray from the legitimate and a lot of companies are making billions of dollars capitalising on just this sort of fear (and perpetuating it by creating more things to be afraid of).

        Do you know how many Army bases there are in the world? Saying that the DoA is based out of Indiana is about as irrelevant. If anything it just goes to show that it’s easier to fit data into curves to benefit our viewpoint. That doesn’t make me have an agenda, and it doesn’t make you have an agenda, per se — but it does mean we have to begin to factor such things into our understandings of the world instead of believing that just because A is true means Z is true — when we don’t even have any idea what B, C, D, E through Y are — or what’s true in that set of data. That’s how boogeymen are made, and that’s how people are manipulated. Data can lie on its own — but people often help it when they go into, say, an investigation believing they know the outcome because they want the outcome to be a certain way. It’s a dangerous assumption and it has costs, for people, for society, for economies, for nations — for everyone, and those costs aren’t analogous to the costs we’re being TOLD (when and if we ever are told) are the costs.

        Tell you what. If you have access to those backend systems, then let me know. Making attributions from the outside in is a terrible idea. Weak attribution makes people enemies. Most attribution does, especially when it’s false. Fear is potent. It’s useful. But it’s often based on false assumptions.

        When actors choose to make known, through snide ways, that they are responsible for things — or hint that they’re responsible, we also have to question those attributions too — do we not? I have no idea why you brought up Stuxnet, but since you chose that subject, here’s an alternative reading of attribution: Maybe Israel did it on their own and the US found out later and had to act like it knew all along. Do you understand that that’s a form of pressure too? That attribution can be used to make people do what you want or look foolish? Is my scenario possible? Yes. Is it true? Who knows. It’s a hypothetical. Just like yours was.

        Just because people tell you something doesn’t mean it’s true, and just because people believe things doesn’t make them true. People get used as a tool in all sorts of lines of work, but, I believe, especially, when it comes to attribution.

        If you came out and decided to completely shun these sorts of theories, with all their pomp and suggested direction, how difficult do you believe it’d be to find that consulting work, especially with ‘federal legislators’? Fear sells; people actually TUNE OUT what’s safe when fear is offered as an alternative — and fear itself often creates far more dangers than actual dangers ever have.

        When you say you study cybercrime, what does that entail, from a technical standpoint?

        • Feel free to have your opinion and allow me to disagree. I don’t need to qualify myself to you. Apparently the people I work with are satisfied.

          • Olmstead Kenkaide

            I wasn’t asking you to ‘qualify yourself’ to me, but that’s what you seem to have been trying to do — that and repeating other people’s words. I was asking the questions I was asking because that’s the sort of questions people ask when they have a real dialogue. I am *genuinely* interested in what the response would be if you changed your stance. I am *genuinely* interested in what your technical background is. I’d be more than glad to hear your side of things, I just ask that you provide reasoning for your beliefs. I’ll listen to almost anybody’s beliefs if their reasoning is cogent. What I’m wondering is if you know why you believe what you believe. I’m striving to get into more than opinions. When it comes to attribution, opinions probably cause far more problems than they solve. It’s one thing to theorise when you’ve seen evidence and had access to data and know how to analyse things and aren’t biased (that’s not to say you’re biased, but I believe the federal government is probably biased going into any investigation of servers that belong to the federal government or which affect the federal government — and I’m sure you’d be biased if your machines were hacked, as I’d likely be biased to believe something else if mine were). It’s another thing to theorise a ‘what if’ and work outwards without data. That’s not theorising, or analysing, though it makes for great novels and popular books on the subject. It *is* an opinion and ONLY an opinion. But opinions can hurt people and relations too, and what’s more they can do it without any tacit evidence or proof — who is that fair to? And who does that even benefit?

            Even Feinstein got pissed off when she found out people were spying on her from within her own government. Had she not known it was people within the US government — then who do you believe she’d blame and why?

  5. Pingback: Photo Bombed: Retailers CVS and Costco Admit Customer Data Stolen in Third Party Breach | The Security Ledger

  6. I’ve learn several good stuff here. Certainly price bookmarking for revisiting.
    I wondr how so much attempt you place to make this kind off wonderful informative web site.