Health Information Management

EHR vendor hit by sophisticated cyber attack

HIM-HIPAA Insider, August 10, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

An Indiana-based EHR vendor and its subsidiary company were the victims of a sophisticated criminal cyber-attack last week that exposed the PHI of some patients at several of the vendor’s clients, according to a notice Medical Informatics Engineering (MIE) posted to its website June 10.
 
The statement did not say how many patients were affected, but did list the following affected clients, which were each notified of the breach:
  • Concentra
  • Fort Wayne Neurological Center
  • Franciscan St. Francis Health Indianapolis
  • Gynecology Center, Inc. Fort Wayne
  • Rochester Medical Group
The breach also affected MIE’s subsidiary, NoMoreClipboard, which is also based out of its Fort Wayne offices. A separate notice to those clients and patients was issued.
 
Compromised PHI may have included patients’ names, Social Security numbers, mailing addresses, email addresses, birthdates, medical conditions, and lab results, according to MIE.
 
The same information was compromised at NoMoreClipboard along with individuals’ usernames, passwords, and security questions and answers.
 
Both MIE and its subsidiary, however, pointed out they don’t collect or store financial or credit information on patients.
 
MIE said it first discovered suspicious activity related to one of its servers on May 26, 2015, and immediately opened an internal investigation with assistance from third-party forensics experts. Law enforcement authorities were also notified.
 
The statement said MIE’s investigation thus far indicates unauthorized access to the company network began on May 7 in a sophisticated cyber-attack, but offered no further details on the nature of the incident. MIE notified victims June 2.
 
The FBI’s cyber-crime division is actively investigating the case with full cooperation from MIE and NoMoreClipboard.
 
MIE said it has been continuously investigating the attack as well as enhancing its data security and protection.
 
Free credit monitoring and identity protection services for the next 24 months were offered to victims of the breach and a toll free call center was also setup. NoMoreClipboard further urged its users to change their passwords.

This article originally appeared on HCPro’s HIPAA Update blog.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs

  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular