Physician Practice

EHR vendor hit by sophisticated cyber attack

Physician Practice Insider, June 30, 2015

An Indiana-based EHR vendor and its subsidiary company were the victims of a sophisticated criminal cyber-attack last week that exposed the PHI of some patients at several of the vendor’s clients, according to a notice Medical Informatics Engineering (MIE) posted to its website June 10.
The statement did not say how many patients were affected, but did list the following affected clients, which were each notified of the breach:
  • Concentra
  • Fort Wayne Neurological Center
  • Franciscan St. Francis Health Indianapolis
  • Gynecology Center, Inc. Fort Wayne
  • Rochester Medical Group
The breach also affected MIE’s subsidiary, NoMoreClipboard, which is also based out of its Fort Wayne offices. A separate notice to those clients and patients was issued.
Compromised PHI may have included patients’ names, Social Security numbers, mailing addresses, email addresses, birthdates, medical conditions, and lab results, according to MIE.
The same information was compromised at NoMoreClipboard along with individuals’ usernames, passwords, and security questions and answers.
Both MIE and its subsidiary, however, pointed out they don’t collect or store financial or credit information on patients.
MIE said it first discovered suspicious activity related to one of its servers on May 26, 2015, and immediately opened an internal investigation with assistance from third-party forensics experts. Law enforcement authorities were also notified.
The statement said MIE’s investigation thus far indicates unauthorized access to the company network began on May 7 in a sophisticated cyber-attack, but offered no further details on the nature of the incident. MIE notified victims June 2.
The FBI’s cyber-crime division is actively investigating the case with full cooperation from MIE and NoMoreClipboard.
MIE said it has been continuously investigating the attack as well as enhancing its data security and protection.
Free credit monitoring and identity protection services for the next 24 months were offered to victims of the breach and a toll free call center was also setup. NoMoreClipboard further urged its users to change their passwords.
This article originally appeared on HCPro’s HIPAA Update blog.

Most Popular