Hackers Steal Patient Data from Medical Software Company
Medical Informatics Engineering, a provider of software solutions for the healthcare industry, has reported it has been the target of a successful hacking campaign which resulted in Protected Health Information (PHI) being obtained by hackers.
The data breach has affected an as of yet undisclosed number of patients of the following healthcare clients:
- Concentra Health
- Fort Wayne Neurological Center
- Franciscan St. Francis Health, Indianapolis
- Gynecology Center, Inc. Fort Wayne
- McDonough District Hospital (1,200 patients affected)
- Rochester Medical Group
According to the press release issued by Medical Informatics Engineering – posted on Business Wire – Medical Informatics Engineering discovered “suspicious activity relating to one of its servers” on May 26, 2015. The cybercrime division of the FBI was notified and an investigation into the hack is ongoing.
A forensic analysis of the affected servers determined that the personal information exposed in the Medical Informatics Engineering data breach included patient names, home/mailing addresses, email addresses and dates of birth. Some patients’ Social Security numbers, lab test results, medical conditions and dictated reports were also compromised. The investigation revealed that hackers first gained access to patient data on May 7, 2015. Access to that data continued for a period of 19 days.
Breach notification letters are being sent to all affected individuals in accordance with the Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule. The letters should be received in the next few days.
No More Clipboard Clients’ Data Also Compromised
Medical Informatics Engineering also discovered that the data breach affected a number of patients and healthcare clients of its NoMoreClipboard (NMC) subsidiary, a provider of secure Electronic Health Records (EHRs). An undisclosed number of patients and healthcare providers who have previously used the service to create or maintain EHRs are being notified of the data breach separately.
South Bend Medical Foundation (SBMF) was one such healthcare provider whose patients have been affected. All patients of the healthcare provider to use the “My Lab Results” service to access their medical test results have potentially been affected. Breach notices will be mailed to all concerned.
Initially it was thought that the data breach was limited to personal information; however a forensic analysis conducted by an external cybersecurity firm revealed that PHI was also compromised in the incident.
Social Security Numbers, Healthcare Data, Account Details and Personal Information Stolen
Investigators determined that NoMoreClipboard clients’ names, addresses, email addresses, dates of birth, healthcare information and Social Security numbers were compromised in the data breach. Account usernames, hashed passwords, and security questions – together with answers to those questions – were also exposed.
The hackers would not be able to access the online accounts of victims without a password, but since the number of digits that password contained would be known, it could speed up the process of cracking accounts considerably.
To protect all users of the service, and to mitigate risk as far as is possible, NMC has taken the decision to enforce a change of password on all user accounts. Due to the nature of the data obtained by hackers, an additional precaution has been taken by NMC. All affected individuals will be sent a five digit code to the mobile phone number they supplied to NMC. The code must be entered to change the password associated with the account.
Patients who did not supply a mobile telephone number will be emailed the code, and all other patients will be sent an email to encourage a change of password. Hackers have managed to obtain the email addresses of patients, so as a further precaution it would be wise to change email passwords as well. Security questions and answers should also be changed.
Identity Theft Protection Services Offered
Affected patients face a relatively high risk of suffering identity theft or becoming the victims of fraud as Social Security numbers were exposed along with a considerable amount of personal information. Credit reports should therefore be obtained and patients should check the reports for suspicious entries. Similarly, Explanation of Benefits (EoB) statements should also examined for any sign of fraudulent claims.
In an effort to mitigate any damage caused, all affected individuals – Medical Informatics Engineering and No More Clipboards clients – are being offered two years of credit monitoring and identity theft protection services. The service is not automatically applied and needs to be activated by patients. The services will be offered for a period of 24 months without charge.
“Secure EHRs” May Not Be As Secure As Patients Think
The security breach shows that even secure EHRs are not always hack-proof. Cybercriminals can, and will, find a way to break through defenses if vulnerabilities exist; provided there is sufficient motivation for them to do so.
Unfortunately, data held by healthcare providers and their Business Associates has a high value on the black market. The information can be used to obtain goods, services, loans and medical treatment/prescriptions, giving hackers more than enough reason to target healthcare providers, insurers and BAs for the data they hold.
Post Updated: 06/18/2015