In-brief: Four million patients of more than 230 hospitals, doctors offices and clinics had patient data exposed in a May attack on the Fort Wayne, Indiana firm Medical Informatics Engineering (MIE), according to the Indiana Attorney General.
Four million patients of more than 230 hospitals, doctors offices and clinics had patient data exposed in a May hack ofFort Wayne, Indiana firm Medical Informatics Engineering (MIE) and its NoMoreClipBoard electronic health records system, according to the Indiana Attorney General.
The breach affected 3.9 million people in total, 1.5 million in Indiana alone, almost a quarter of the state’s population, according to a statement by the Indiana Attorney General’s Office. The breach affects healthcare organizations from across the country. Healthcare providers ranging from prominent hospitals to individual physicians’ offices and clinics are among 195 customers of the NoMoreClipboard product that had patient information exposed in the breach.
However, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed, the Security Ledger has learned.
“We have received no information from MIE regarding that,” said a spokeswoman for Fort Wayne Radiology Association, one of hundreds of healthcare organizations whose information was compromised in the attack on MIE.
Calls and e-mail messages seeking comment from EMI were not returned.
Fort Wayne Radiology did not use the NoMoreClipboard health record system, but it did contract with EMI for so-called PACs (or picture archiving and communications systems), the spokeswoman said. PACs are used to store, analyze and distribute medical images, often in concert with EHR systems.
According to MIE’s statement, released on July 24, individuals who received services from Fort Wayne Radiology Association and a variety of other imaging and MRI centers were also compromised when a database relating to the healthcare providers was breached in the incident, MIE said. That contained data going back more 17 years and involved another 44 healthcare organizations in three states: Indiana, Ohio and Michigan.
But as of Friday, the medical imaging firm said it did not know exactly what customer data had been accessed or whether stored radiologic images and other information was exposed to hackers. Fort Wayne Radiology referred questions about the types of data exposed in the breach or the number of exposed patients to MIE.
Other affected firms appeared to be moving on, albeit with regret. “Our letters went out. I even received mine,” said Joleen Shuster, the Chief Financial Officer at Grisell Memorial Hospital, a small, local hospital serving around 600 residents in and around Ransom Kansas.
One hundred fifteen of Grisell’s patients had information exposed in the breach. But the hospital is part of a network of 28 hospitals that are part of the Great Plains Health Association. All used the NoMoreClipboard system, in part to help them comply with rules in the Affordable Care Act. All had patient data exposed in the hack, she said.
Shuster said Grisell had only be using NoMoreClipboard for around six months. The Kansas Health Information Network standardized on the hosted EHR system as the platform for its Affordable Care Act health portal, which left hospitals no choice but to adopt it for their patients, she noted.
“It’s one of those government mandates, you know? Get everyone on that patient portal,” Shuster said.
In contrast to internal security incidents, MIE has handled all communications with Grisell’s customers itself, Shuster said.
Still, Shuster said that MIE had been a good partner with Grisell: sending patients detailed breach notices and setting up an 800 number to answer questions. She said patients had come in with their letters and questions, but Shuster said she did not have any evidence of any patient information being used for identity theft or other scams.
At the Prince George’s County Health Department, another customer who was listed in EMI’s statement, Public Information Officer Dellia Williams said the Department had purchased the NoMoreClipBoard software, but hadn’t yet deployed it, so no patient data was exposed in the hack.
Indiana Attorney General Greg Zoeller in a statement Thursday urged Indiana residents to “freeze their credit” in the wake of the data breach. The state, which is home to MIE, was particularly hard hit, with 11 providers and 44 radiology centers in state impacted. “We are faced with yet another massive data breach putting countless Hoosiers at risk of identity theft and fraud,” Zoeller said. “People cannot sit back and assume they won’t become a victim of these crimes which are costly, time-consuming to fix and can have a long-term impact on your financial stability and credit. Everyone in Indiana should have a credit freeze in place to protect themselves from becoming a victim of identity theft and fraud.”
EMI first discovered evidence of a security compromise on May 26. An investigation, with the help of third-party forensics experts, revealed that the intrusion began on May 7, 2015, EMI said in June. The attackers made off with protected health information on some patients of some EMI clients. Data including the patients’ names, mailing addresses, email addresses and dates of birth were compromised. Other patients had additional information stolen included Social Security Numbers, lab results, dictated reports, and medical conditions.
However, it appears that not all users of EMI’s NoMoreClipBoard were exposed. Shuster of Grisell Memorial said that some users of the system had not received breach notices – presumably because their data had not been accessed. This is just the latest, large-scale attack on a healthcare organization, following attacks on healthcare providers Anthem and Premera and well as Community Health Services, among many others. It is also notable for coming by way of a third party and a provider of hosted electronic health records (EHR) software and services. Attacks on third party firms are becoming a favored approach for sophisticated attackers, who can often compromise the records of many companies at once.
“Attackers are going after our most sensitive data, which can be used to compromise consumer financial accounts, steal identities and as defraud the government,” said Eric Chiu, president & co-founder of HyTrust, which provides security software for cloud-based software firms. “Every healthcare firm, large and small, that stores patient data is at risk of a breach and more needs to be done to protect consumers against these cyberattacks,” he said in an email statement.