A recent data breach at electronic medical record services provider Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard may have impacted an estimated 3.9 million patients nationwide, according to Indiana Attorney General Greg Zoeller.
The exposed data is impressively thorough — it may include names, phone numbers, mailing addresses, user names, hashed passwords, security questions and answers, email addresses, birthdates, Social Security numbers, lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions, and spouses’ and childrens’ names and birthdates.
A total of 11 of MIE’s healthcare provider clients and 44 radiology centers were affected. The full list of affected entities is available at www.mieweb.com/notice.
MIE says the breach was discovered on May 26, 2015, and was immediately reported to law enforcement. “Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015,” the company said in a statement. “Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data.”
Remedial efforts, MIE says, have included “removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement.”
The Journal Gazette reports that affected patient James Young has already filed a lawsuit alleging that MIE failed to “take adequate and reasonable measures to ensure its data systems were protected,” failed to stop the breach, and failed to notify those affected in a timely manner.
Josh Cannell, malware intelligence analyst at Malwarebytes Labs, told eSecurity Planet by email that the fact that the hackers had access to MIE’s servers for three weeks before the breach was discovered suggests that the data wasn’t protected as well as it should have been.
“Furthermore, it’s well-known that cyber-criminals can use this information in many nefarious ways,” Cannell said. “For example, the most obvious use of this information would be for identity theft, which can cause a lot of financial headaches that can last for many years. Another potential abuse of this information could be seen in spear-phishing emails that may be sent to the victims of the breach, using PII to make the email seem legitimate, thus leading to a malware infection.”
“Considering the numerous amount of breaches that have happened in recent times, its clear this type of crime is paying off for the crooks, and it’s only going to get worse until companies that house this kind of very sensitive information have the knowledge and resources needed to protect it adequately,” Cannell added.
Breaches like these can have a significant impact — according to the results of the Medical Identity Fraud Alliance (MIFA)’s Fifth Annual Study on Medical Identity Theft, more than 2 million patients were impacted by medical identity theft in 2014, an increase of 21.7 percent over the previous year.
The study, conducted by the Ponemon Institute and sponsored by MIFA, with support from Kaiser Permanente, ID Experts, Experian Data Breach Resolution and Identity Finder, also found that 65 percent of victims surveyed paid an average of $13,500 in out-of-pocket costs to resolve the theft.
In total, medical identity theft cost consumers more than $20 billion in out-of-pocket costs in 2014.
“2015 will be a year of increased attention to the pervasiveness and damaging effects of medical identity theft,” Ann Patterson, senior vice president and program director at MIFA, said in a statement. “As we’ve already seen this year, the healthcare industry is and will continue to be a major target for hackers.”
Victims are rarely informed of medical identity theft by their healthcare provider or insurer, and it takes them an average of three months to learn about the theft. Among the 54 percent of respondents who found an error in their Explanation of Benefits, half said they didn’t know to whom to report the issue.
Forty-five percent of respondents said medical identity theft affected their reputation, largely due to the embarrassing disclosure of personal health conditions. Nineteen percent said the theft caused them to miss out on career opportunities.
Only 10 percent of respondents said they ever achieved a completely satisfactory conclusion of the incident.