TMCnet News
Medical Informatics Engineering Updates Notice to Individuals of a Data Security CompromiseOn behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified. On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement's investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data. We are continuing to take steps to remediate and enhance the security of our systems. Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset. Information compromised While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual's name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor's name, medical conditions, and child's name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals' name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information. Notification On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected NoMoreClipboard and Medical Informatics Engineering clients. On July 17, 2015, we began mailing notice letters to affected individuals for whom we have a valid postal address through U.S. mail, and we expect those letters to be mailed on or before July 25, 2015. Information contained in the notice letter is available at www.mieweb.com and www.NoMoreClipboard.com. We have also disclosed this incident to certain state and federal regulators and to the consumer reporting agencies. Identity protection services As the investigations continue, and out of an abundance of caution, we are offering affected individuals access to two years of credit monitoring and identity protection services at no charge. Fraud prevention tips We suggest affected individuals remain vigilant and seek to protect against possible identity theft or other financial loss by regularly reviewing their financial account statements for suspicious activity. We also encourage affected individuals to notify their credit card companies, health care providers, and heath care insurers of this data security incident. Affected individuals may also review explanation of benefits statement(s) that they receive from their healthcare provider or health plan. If an affected individual sees any service that he/she believes he/she did not receive, the individual should contact his/her health care provider or health plan at the telephone number listed on the explanation of benefits statement(s). If an affected individual does not receive regular explanation of benefits statement(s), we suggest he/she contact his/her healthcare provider or health plan and ask that they send a copy after each visit the affected individual makes with his/her health care provider. We also suggest that affected individuals carefully review their credit reports. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To obtain a free credit report, visit www.annualcreditreport.com or call, toll-free, (877) 322-8228. At no charge, individuals can also have these credit bureaus place a "fraud alert" on their file that alerts creditors to take additional steps to verify the his/her identity prior to granting credit in his/her name. Please note, however, that because it tells creditors to follow certain procedures to protect an individual's credit, it may also delay the ability to obtain credit while the agency verifies the individual's identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on an individual's file. If you wish to place a fraud alert, or you have questions regarding your credit report, you can contact any one of the following agencies: Equifax, Consumer Fraud Division, P.O. Box 740256, Atlanta, GA 30374, (800) 525-6285, www.equifax.com; Experian, Consumer Fraud Assistance, P.O. Box 9556, Allen, TX 75013, (888) 397-3742, www.experian.com; TransUnion, Consumer Relations & Fraud Victim Assistance, 1561 E. Orangethorpe Avenue, Fullerton, CA 92831, (800) 372-8391, www.transunion.com. Information regarding security freezes may also be obtained from these sources. The Federal Trade Commission (FTC) encourages those who discover that their information has been misused to file a complaint with them. To file a complaint with the FTC, or to obtain additional information on identity theft and the steps that can be taken to avoid identity theft, the FTC can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft, (877) ID-THEFT (877-438-4338); TTY: (866) 653-4261. This notice has not been delayed because of law enforcement; however, instances of known or suspected identity theft should be reported to local law enforcement, your state Attorney General, and the FTC. State Attorneys General may also have advice on preventing identity theft. Individuals can also learn more about placing a fraud alert or security freeze on their credit files by contacting the FTC or state Attorney General. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, (919) 716-6400, www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, (888) 743-0023, www.oag.state.md.us. For Kentucky residents, the Attorney General can be contacted at 700 Capitol Avenue, Suite 118, Frankfort, Kentucky 40601-3449, 502-696-5389, www.ag.ky.gov. For Indiana residents, the Attorney General can be contacted at 302 W. Washington Street, Indianapolis, Indiana 46204, (317) 232-6201, www.in.gov. Security Freeze Under MA and WV law, affected individuals have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it. Under MA and WV law, you may place a security freeze on your credit reports. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without your written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. If you have been a victim of identity theft, and provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 in MA and $5.30 in WV each to place, temporarily lift, or permanently remove a security freeze. To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies. In order to request a security freeze, you will need to provide the following information:
The credit reporting agencies have three (3) business days after receiving a request to place a security freeze on a credit file report. The credit bureaus must also send written confirmation to the individual within five (5) business days and provide individual with a unique personal identification number (PIN) or password, or both, that can be used to authorize the removal or lifting of the security freeze. To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to remove the security freeze. Toll-free hotline We have established a confidential, toll free hotline to assist affected individuals with questions regarding the incident, their affected personal and protected health information, their affected healthcare provider(s), and the identity monitoring and protection services we are making available. The hotline can be reached at (866) 328-1987, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, except for holidays. If you would like to confirm whether you are affected by this incident, you may call our hotline. Updates regarding this incident, our investigation and steps individuals may take to protect themselves from identity theft and fraud will be available on www.nomoreclipboard.com and www.mieweb.com and through our toll free hotline. Questions regarding the incident should not be directed to your healthcare provider(s) as they may not be able to answer your questions. Affected entities Physician practices, hospitals, and other organizations work with NoMoreClipboard to offer patient portals and personal health records which enable consumers to access and manage health information online. Individuals who use patient portals or personal health records offered by the following entities may be affected by this cyber attack. Individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected organizations include:
In addition to its previously identified clients, including Franciscan St. Francis Health Indianapolis, the following additional healthcare providers were affected by the Medical Informatics Engineering cyber attack. Patients of these healthcare providers may be affected, and individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected healthcare providers include:
RediMed Individuals who received services from Fort Wayne Radiology Association, Open View, Breast Diagnostic Center, PET Imaging or MRI Center during the period of time from January 1, 1997 to May 26, 2015 may be affected. The database relating to these healthcare providers was accessed on May 26, 2015. Individuals may also visit the providers' websites, which may be accessed at www.fwradiology.com , for information on this incident. Affected individuals may include, along with potential others, individuals who received radiology services during this time at any of the organizations identified below:
We take the security of health information very seriously and understand that such incidents cause real concern. We apologize sincerely and thank our customers for their continued loyalty and patience as we work through this challenge. View source version on businesswire.com: http://www.businesswire.com/news/home/20150724005450/en/ |