TMCnet News

Medical Informatics Engineering Updates Notice to Individuals of a Data Security Compromise

[July 24, 2015]

Medical Informatics Engineering Updates Notice to Individuals of a Data Security Compromise

On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified.

On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement's investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data.

We are continuing to take steps to remediate and enhance the security of our systems. Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset.

Information compromised

While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual's name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor's name, medical conditions, and child's name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals' name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information.

Notification

On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected NoMoreClipboard and Medical Informatics Engineering clients.

On July 17, 2015, we began mailing notice letters to affected individuals for whom we have a valid postal address through U.S. mail, and we expect those letters to be mailed on or before July 25, 2015. Information contained in the notice letter is available at www.mieweb.com and www.NoMoreClipboard.com. We have also disclosed this incident to certain state and federal regulators and to the consumer reporting agencies.

Identity protection services

As the investigations continue, and out of an abundance of caution, we are offering affected individuals access to two years of credit monitoring and identity protection services at no charge.

Fraud prevention tips

We suggest affected individuals remain vigilant and seek to protect against possible identity theft or other financial loss by regularly reviewing their financial account statements for suspicious activity. We also encourage affected individuals to notify their credit card companies, health care providers, and heath care insurers of this data security incident. Affected individuals may also review explanation of benefits statement(s) that they receive from their healthcare provider or health plan. If an affected individual sees any service that he/she believes he/she did not receive, the individual should contact his/her health care provider or health plan at the telephone number listed on the explanation of benefits statement(s). If an affected individual does not receive regular explanation of benefits statement(s), we suggest he/she contact his/her healthcare provider or health plan and ask that they send a copy after each visit the affected individual makes with his/her health care provider.

We also suggest that affected individuals carefully review their credit reports. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To obtain a free credit report, visit www.annualcreditreport.com or call, toll-free, (877) 322-8228.

At no charge, individuals can also have these credit bureaus place a "fraud alert" on their file that alerts creditors to take additional steps to verify the his/her identity prior to granting credit in his/her name. Please note, however, that because it tells creditors to follow certain procedures to protect an individual's credit, it may also delay the ability to obtain credit while the agency verifies the individual's identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on an individual's file. If you wish to place a fraud alert, or you have questions regarding your credit report, you can contact any one of the following agencies: Equifax, Consumer Fraud Division, P.O. Box 740256, Atlanta, GA 30374, (800) 525-6285, www.equifax.com; Experian, Consumer Fraud Assistance, P.O. Box 9556, Allen, TX 75013, (888) 397-3742, www.experian.com; TransUnion, Consumer Relations & Fraud Victim Assistance, 1561 E. Orangethorpe Avenue, Fullerton, CA 92831, (800) 372-8391, www.transunion.com. Information regarding security freezes may also be obtained from these sources.

The Federal Trade Commission (FTC) encourages those who discover that their information has been misused to file a complaint with them. To file a complaint with the FTC, or to obtain additional information on identity theft and the steps that can be taken to avoid identity theft, the FTC can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft, (877) ID-THEFT (877-438-4338); TTY: (866) 653-4261. This notice has not been delayed because of law enforcement; however, instances of known or suspected identity theft should be reported to local law enforcement, your state Attorney General, and the FTC. State Attorneys General may also have advice on preventing identity theft. Individuals can also learn more about placing a fraud alert or security freeze on their credit files by contacting the FTC or state Attorney General. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, (919) 716-6400, www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, (888) 743-0023, www.oag.state.md.us. For Kentucky residents, the Attorney General can be contacted at 700 Capitol Avenue, Suite 118, Frankfort, Kentucky 40601-3449, 502-696-5389, www.ag.ky.gov. For Indiana residents, the Attorney General can be contacted at 302 W. Washington Street, Indianapolis, Indiana 46204, (317) 232-6201, www.in.gov.

Security Freeze

Under MA and WV law, affected individuals have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it. Under MA and WV law, you may place a security freeze on your credit reports. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without your written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.

If you have been a victim of identity theft, and provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 in MA and $5.30 in WV each to place, temporarily lift, or permanently remove a security freeze. To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies. In order to request a security freeze, you will need to provide the following information:

					1.			Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
					2.			Social Security number;
					3.			Date of birth;
					4.			If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
					5.			Proof of current address, such as a current utility bill or telephone bill;
					6.			A legible photocopy of a government-issued identification card (state driver's license or ID card, military identification, etc.);
					7.			If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft;
					8.			If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash through the mail.

The credit reporting agencies have three (3) business days after receiving a request to place a security freeze on a credit file report. The credit bureaus must also send written confirmation to the individual within five (5) business days and provide individual with a unique personal identification number (PIN) or password, or both, that can be used to authorize the removal or lifting of the security freeze. To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to remove the security freeze.

Toll-free hotline

We have established a confidential, toll free hotline to assist affected individuals with questions regarding the incident, their affected personal and protected health information, their affected healthcare provider(s), and the identity monitoring and protection services we are making available. The hotline can be reached at (866) 328-1987, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, except for holidays. If you would like to confirm whether you are affected by this incident, you may call our hotline. Updates regarding this incident, our investigation and steps individuals may take to protect themselves from identity theft and fraud will be available on www.nomoreclipboard.com and www.mieweb.com and through our toll free hotline. Questions regarding the incident should not be directed to your healthcare provider(s) as they may not be able to answer your questions.

Affected entities

Physician practices, hospitals, and other organizations work with NoMoreClipboard to offer patient portals and personal health records which enable consumers to access and manage health information online. Individuals who use patient portals or personal health records offered by the following entities may be affected by this cyber attack. Individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected organizations include:

Advanced Cardiac Care

Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center

Advanced Foot Specialists

(including Neurology, Physical Medicine and Neurosurgery)

All About Childrens Pediatric Partners, PC

Altagracia Medical Center

Allen County Dept of Health

Anderson Family Medicine

Arkansas Otolaryngology, P.A.

Grace Community Health Center, Inc.

Auburn Cardiology Associates

Grisell Memorial Hospital

Basedow Family Clinic Inc.

Harding Pediatrics LLP

Bastrop Medical Clinic

Harlan County Health System

Batish Family Medicine

Health Access Program

Beaver Medical

Heart Institute of Venice

Boston Podiatry Services PC

Henderson Minor Outpatient Medicine

Brian Griner M.D.

Henry County Hospital myhealth portal

Brightstarts Pediatrics

Highgate Clinic

Burnsville Medical Center

Hobart Family Medical Clinic

Capital Rehabilitation

Howard Stierwalt, M.D.

Cardiovascular Consultants of Kansas

Howard University Hospital

Carl Gustafson OD

Hudson Essex Nephrology

Carolina Gastroenterology

Huntington Medical Associates

Carolina Kidney & Hypertension Center

Huntington Medical Group

Carolinas Psychiatric Associates

Hutchinson Regional Medical Center

Center for Advanced Spinal Surgery

Idaho Sports Medicine Institute

Chang Neurosurgery & Spine Care

In Step Foot & Ankle Specialists

Cheyenne County Hospital

Independence Rehabilitation Inc

Children's Clinic of Owasso, P.C.

Indiana Endocrine Specialists

Clara A. Lennox MD

Indiana Internal Medicine Consultants

Claude E. Younes M.D., Inc.

Indiana Ohio Heart

CMMC

Indiana Surgical Specialists

Coalville Health Center

Indiana University

Cornerstone Medical and Wellness, LLC

Indiana University Health Center

Cumberland Heart

Indianapolis Gastroenterology and Hepatology

David A. Wassil, D.O.

Internal Medicine Associates

David M Mayer MD

IU - Northwest

Dr. Alicia Guice

Jackson Neurolosurgery Clinic

Dr. Anne Hughes

James E. Hunt, MD

Dr. Buchele

Jasmine K. Leong MD

Dr. Clark

Jewell County Hospital

Dr. Harvey

John Hiestand, M.D.

Dr. John Labban

Jonathan F. Diller, M.D.

Dr. John Suen

Jubilee Community Health

Dr. Puleo

Kardous Primary Care

Dr. Rajesh Rana

Keith A. Harvey, M.D.

Dr. Rustagi

Kenneth Cesa DPM

Dr. Schermerhorn

Kings Clinic and Urgent Care

Dr. Shah

Kiowa County Memorial Hospital

Ear, Nose & Throat Associates, P.C.

Kristin Egan MD

East Carolina Medical Associates

Lakeshore Family Practice

Eastern Washington Dermatology Associates

Lane County Hospital

Ellinwood District Hospital

Logan County Hospital

Family Care Chiropractic Center

Margaret Mary Health

Family Practice Associates of Macomb

Masonboro Urgent Care

Family Practice of Macomb

McDonough Medical Group Psychiatry

Floyd Trillis Jr., M.D.

Medical Care, Inc.

Fredonia Regional Hospital

Medical Center of East Houston

Fremont Family Medicine

Medicine Lodge Memorial Hospital

Generations Primary Care

MedPartners

MHP Cardiology

Rolando P. Oro MD, PA

Michael Mann, MD, PC

Ronald Chochinov

Michelle Barnes Marshall, P.C.

Sabetha Community Hospital

Michiana Gastroenterology, Inc.

Santa Cruz Pulmonary Medical Group

Minneola District Hospital

Santone Chiropractic

Mora Surgical Clinic

Sarasota Cardiovascular Group

Moundridge Mercy Hospital Inc

Sarasota Center for Family Health Wellness

myhealthnow

Sarasota Heart Center

Nancy L. Carteron M.D.

Satanta District Hospital

Naples Heart Rhythm Specialists

Saul & Cutarelli MD's Inc.

Nate Delisi DO

Shaver Medical Clinic, P. A.

Neighborhood Health Clinic

Skiatook Osteopathic Clinic Inc.

Neosho Memorial Regional Medical Center

Sleep Centers of Fort Wayne

Neuro Spine Pain Surgery Center

Smith County Hospital

Norman G. McKoy, M.D. & Ass., P.A.

Smith Family Chiropractic

North Corridor Internal Medicine

Somers Eye Center

Nova Pain Management

South Forsyth Family Medicine & Pediatrics

Novapex Franklin

Southeast Rehabilitation Associates PC

Oakland Family Practice

Southgate Radiology

Oakland Medical Group

Southwest Internal Medicine & Pain Management

Ohio Physical Medicine & Rehabilitation Inc.

Southwest Orthopaedic Surgery Specialists,PLC

On Track For Life

Stafford County Hospital

Ottawa County Health Center

Stephen Helvie MD

Pareshchandra C. Patel MD

Stephen T. Child MD

Parkview Health System, Inc. d/b/a Family

Susan A. Kubica MD

Practice Associates of Huntington

Texas Childrens Hospital

Parkview Health System, Inc. d/b/a Fort Wayne

The Children's Health Place

Cardiology

The Heart & Vascular Specialists

Parrott Medical Clinic

The Heart and Vascular Center of Sarasota

Partners In Family Care

The Imaging Center

Personalized Health Care Of Tucson

The Johnson Center for Pelvic Health

Phillips County Hospital

The Medical Foundation, My Lab Results Portal

Physical Medicine Consultants

Thompson Family Chiropractic

Physicians of North Worchester County

Trego County Hospital

Precision Weight Loss Center

Union Square Dermatology

Primary & Alternative Medical Center

Volunteers in Medicine

Prince George's County Health Department

Wells Chiropractic Clinic

Rebecca J. Kurth M.D.

Wichita County Health Center

Relief Center

William Klope MD

Republic County Hospital

Wyoming Total Health Record Patient Portal

Ricardo S. Lemos MD

Yovanni Tineo M.D.

Richard A. Stone M.D.

Zack Hall M.D.

Richard Ganz MD

River Primary Care

In addition to its previously identified clients, including Franciscan St. Francis Health Indianapolis, the following additional healthcare providers were affected by the Medical Informatics Engineering cyber attack. Patients of these healthcare providers may be affected, and individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected healthcare providers include:

RediMed
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery)
Fort Wayne Radiology Association, LLC including d/b/a Nuvena Vein Center and Dexa Diagnostics
Open View MRI, LLC
Breast Diagnostic Center, LLC
P.E.T. Imaging Services, LLC
MRI Center -Fort Wayne Radiology, Inc. (f/k/a Advanced Imaging Systems, Inc.)

Individuals who received services from Fort Wayne Radiology Association, Open View, Breast Diagnostic Center, PET Imaging or MRI Center during the period of time from January 1, 1997 to May 26, 2015 may be affected. The database relating to these healthcare providers was accessed on May 26, 2015. Individuals may also visit the providers' websites, which may be accessed at www.fwradiology.com , for information on this incident. Affected individuals may include, along with potential others, individuals who received radiology services during this time at any of the organizations identified below:

				Accustat Medical Lab, Inc.						Indianapolis, IN
				Allergy & Asthma Center						Fort Wayne, IN
				Associated Physicians & Surgeons Clinic, LLC						Terre Haute, IN
				Ball Memorial Hospital						Muncie, IN
				Bedford Regional Medical Center						Bedford, IN
				Cameron Memorial Community Hospital						Angola, IN
				Central Indiana Orthopedics, PC						Muncie, IN
				Community Memorial Hospital						Hicksville, OH
				Ear, Nose & Throat Associates						Fort Wayne, IN
				Family Medicine Associates, Jerry Sell, M.D.						Rockford, OH
				First Care Family Physicians						Fort Wayne, IN
				Fort Wayne Medical Oncology & Hematology						Fort Wayne, IN
				Gary Pitts, M.D.						Warsaw, IN
				Indiana Urgent Care Centers, LLC						Indianapolis, IN
				Indiana University Health Center						Bloomington, IN
				Jasper County Hospital						Rensselaer, IN
				Manchester Family Physicians						North Manchester, IN
				MedCorp						Toledo, OH
				Meridian Health Group						Carmel, IN
				Nationwide Mobile Imaging						Fort Wayne, IN
				Neighborhood Health Clinic						Fort Wayne, IN
				Orthopaedics Northeast						Fort Wayne, IN
				Parkview Regional Medical Center						Fort Wayne, IN
				Parkview Hospital						Fort Wayne, IN
				Parkview Ortho Hospital						Fort Wayne, IN
				Parkview Heart Institute						Fort Wayne, IN
				Parkview Women & Children's Hospital						Fort Wayne, IN
				Parkview Noble Hospital						Kendallville, IN
				Parkview Huntington Hospital						Huntington, IN
				Parkview Whitley Hospital						Columbia City, IN
				Parkview LaGrange Hospital						LaGrange, IN
				Parkview Physicians Group
				Parkview Occupational Health Centers
				Paulding County Hospital						Paulding, OH
				Prompt Care Express						Coldwater, MI; Sturgis, MI
				Public Safety Medical Services						Indianapolis, IN
				Purdue University Health Center						W. Lafayette, IN
				Southwestern Medical Clinics						Berrien Springs, MI
				Tri-State Medical Imaging						Angola, Indiana
				Union Associated Physicians Clinic						Terre Haute, IN
				U.S. Healthworks Medical Group of Indiana						Elkhart, IN
				Van Wert County Hospital						Van Wert, OH
				Wabash County Hospital						Wabash, IN
				Wabash Family Care						Wabash, IN

We take the security of health information very seriously and understand that such incidents cause real concern. We apologize sincerely and thank our customers for their continued loyalty and patience as we work through this challenge.

View source version on businesswire.com: http://www.businesswire.com/news/home/20150724005450/en/

[ Back To TMCnet.com's Homepage ]