« FTC Alleged Lifelock Violated 2010 Settlement Agreement. Company Stock Price Plunged | Main | FTC Report Recommended Best Practices For Companies Offering Products For The Internet of Things »

Tuesday, July 28, 2015

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Willbert

Found you on twitter while searching @MIEHR. Thank you for taking the time to post this information. It's more than you can get from MIE. I, like a lot of others, got my notice this morning about the breach and MIE's lack of security and wondered why this was the first time I'm hearing about this. I'm sure the providers have known for months. It's nice how the letter tells me all the things I should do to address their mistake but MIE doesn't once apologize for their failure to protect my information. I'll keep up with your blog and appreciate your efforts.

George

Willbert:

Thanks for the comment. Glad that you found the blog post helpful and informative. When I learn more, I will post on this blog. So far, no replies from MIE via Twitter.

George
Editor
http://ivebeenmugged.typepad.com

Stacey

My husband and I each got a letter. We also live in Mass. I started to research tonight to see if this is a scam. Sounds legit I guess, but I'd like to know how they got our medical info too. My husband has had very little need for medical attention for years, so not many institutions have has info - aside from pharmacies. Very confusing. Thanks!

Ken

My wife and I got our July 17, 2015 dated notices today. Same text. And we are in Denver and have been here for 20+ years. Recognize none of the above clients and have never been with Concentra. Really makes me wonder why and how they have our info. Also thought scam initially, but as noted above sounds legit scanning mie and other sites.

Growing tired of these. Got caught up in the Home Depot breach and that protection is still in place for a bit more, but not confident that service will catch anything anyway. Froze credit accounts years ago

Agree with above issues but nothing will never happen. Too much data and too little security as these companies are clueless on security. Give me a Linux system and I'll lock it down for you. Forget Windows and the Cloud. Cloud system security is far behind the technology. Multiple VMs on one server rented for business use. Just rent VM time and hack away....

Thanks.

-ken

Dana

I, too, rec'd letter, but don't know why they have my info. I visited dentist about a year ago and had eyes checked in June 2015. What is MIE doing with my name, etc. I'm confused and concerned. Also, I followed instructions provided in letter, but was unable to enroll ProtectMyID...Help?

George

Everyone:

Thanks for sharing your comments. You are not alone. This morning, I spoke with Concentra's regional human resources manager, Mrs. Wallace. She was very helpful. As I learn more, I will post it on this blog. There much more to this story.

George
Editor
http://ivebeenmugged.typepad.com

Stacey

so, is anyone going to enroll in the experian protection???
any suggestions on what we should/shouldn't do is much appreciated.

George

Stacey:

I am curious to hear what other people's decision is about whether or not to sign up for the free Experian ProtectMyID Elite service arranged by MIE. Our decision whether or not to sign up will be based upon:
1. What we learn about the extent of the breach,
2. Limited coverage: as explained in the above blog post,
3. As you know, a CREDIT monitoring service does little to protect your MEDICAL records, and
4. What we learn about HOW medical records are shared between companies.

We already have Security Freezes on our 3 major credit reports from prior data breaches. If you don't know what a Security Freeze is, there are plenty of resources in this blog. You can start reading here:

http://ivebeenmugged.typepad.com/my_weblog/2008/04/security-freeze.html

George
Editor
http://ivebeenmugged.typepad.com

Irma

Thank you! I got such a letter too and I am searching for the same answers. I am very interested in finding out what others are going to do with Experian's ProtectMyID: what shall we be aware of and what to check.
Thank you!

Irma

I would like to file a HIPPA complaint. What shall I state there? Any advice how to make it more effective?

Pat

I got my July 17 notice yesterday also. I tried calling the hotline and explained to them that I've never done business with Concentra, and they basically said they can't give much info about how MIE obtained the medical records. The person I spoke to tried to downplay the breach by saying this letter and the offer for ProtectMyID was precautionary.

I have a feeling that this breach is probably larger than they make it seem, and yes there is probably much more to the story than what we're being told.

Irma

I have just contacted this line two. I requested the list of the companies who used the services of Concentra. Plus I requested any information that will help me to find their report with the officials (FBI) - number of the report, date, etc. They said they will "escalate" these questions to the supervisor, who is supposed to call me back I think within 48 hours. It was really difficult to talk to them as there was really heavy noise in the background and the person did not want to be very articulate as well.

George

For people MIE claimed Concentra was the source of your data:
Like you, my wife and i are very concerned. Stay tuned. I hope to have more about this soon.

Irma:
Thanks for sharing your comments and for investigating with MIE. Please share whatever you learn. As I mentioned in my blog post, MIE subcontracted the hotline operation to another company, so what they tell us is very limited. Keep pushing for answers! I will do the same.

George
Editor
http://ivebeenmugged.typepad.com

Lee Rottinghaus

George:
I live in Fort Wayne, Indiana, where MIE is headquartered. I have sent emails to the author of the breach letter (Eric Jones) and asked for specific information about my health care information. No response thus far, which is no surprise. I did contact the local newspaper, The Journal Gazette and they did interview me and then sent a photographer to my home. The story will appear in the Sunday, August 2nd issue of the Journal Gazette. The reporter from the Journal Gazette was trying to get a comment from Eric Jones. Am very interested in any commentary from Eric Jones. I agree with your interpretation--MIE is more interested in avoiding liability than communicating with those affected.

After 3 attempts I did reach the MIE "hotline". However, the representative was not able to answer my questions. She did offer to escalate the call to a supervisor, but I will not receive a call back for approximately 48 hours.

I did attempt to register with Experian, but could not. I called the help line but the hold time was so lengthy I was not even placed on hold. The recording suggested that I try back later because call-volume was so high. So, I still do not have answers about my compromised health care information.
-Lee

Dana

Thank you for providing direction and edification. I attempted to enroll as per directions in letter I rec'd, but to no avail. Now I don't even know if I want to bother...Looks like I'm going to have to go through the joy of calling for info (as to why MIE has my info)---good luck to all of us, right?!! Thank you again for your insights and information, G.

George

Lee and Dana:

Thanks for sharing your comments with your experiences. It is sad and troubling to hear that you were unable to register for the Experian service. I look forward to reading the Sunday, August 2 article in the Journal Gazette.

My informal list of states with consumers affected by the MIE breach: California, Colorado, Idaho, Indiana, Maryland, Massachusetts, New Hampshire, Texas, and the District of Columbia. Maybe we'll hear more comments from people in these or other states.

George
Editor
http://ivebeenmugged.typepad.com

Philip Duclos

Got the letter from MIE today and my spouse did too. No, we have done no business with any of the listed providers nor with Concentra. Called the "hot line" and spoke with Bonnie. Bonnie got the job two days ago and had no useful information. I asked to be notified about who had contracted with MIE to host my personal health information (PHI) and perhaps Bonnie's supervisor will call me back. Yeah, right.
Looked up MIE on the Indiana Secretary of State website. Eric Jones is listed as Secretary. MIE stands for Medical Informatics Engineering. The practice of Engineering is regulated in Indiana and you must be a Professional Engineer (PE) to practice. Interestingly enough there is an "Eric Steven Jones" licensed as an engineering intern in Indiana. An engineering intern may only practice under the supervision of a PE. And Indiana has a pretty strict definition of "offering the services of engineering" with an exemption for "manufactured products". Does hosting of a website/database containing PHI qualify as a manufactured product or is it a service? We will find out because I filed a complaint with the Indiana Attorney General's office that 1. MIE was practicing without a license and 2. Eric Steven Jones was practicing without a PE license when he only has a IET license.
Full disclosure - I am a PE
The purpose of licensure is to protect the health and safety of the public. Has the health or safety of the public been adversely affected by this breach of data by MIE?

Ivan

This is my second breach this year and once again they offer limited amount of protection.
As you stated why only 1 credit agency and not all. However, my biggest qualms is that some of the data breached will never change, so what good does 2 year do when my SSN/Birthday never change in my lifetime.

Companies that deal with identity information need to be able to protect that data or not work in that kind of environment. I know the HIIPAA rules from the government and am also involved in IT. Therefore, I personally knows what involved with this security but am also aware of the risks.

Companies need to be able to protect my data, and have a budget for it in case this happens.

How can we a bill in place to get this done?
Or how can I get a class action lawsuit going for lifetime protection?

Renee

I also received a letter dated July 17,2015. This letter lists the name of the provider I have used in Arkansas who uses NoMoreClipboard. The list of affected data includes address, phone, email, username, password, birth date, and security question. I found this site while researching whether it was a scam and whether I should pursue the offer of Experian's ProtectMyID Elite.
My provider does have a note on their home page alerting one to the cyber attack. I am quite sure that I have provided more information on that site than is listed above including insurance and health records, although, of course, I know as little as everyone else on what happened and how much was included in this attack.
A question-does the information you write down on the clipboard at the doctor go into the same system? Does it make any difference whether I write it down or use my computer if it's all going into the same retrieval system?

Dana

It's a mess, that's for sure! This is my 2nd breach as well--Home Depot the other. I haven't been to a doctor in years (Nevada), let alone any on that wonderfully inclusive list (thanks so very much) of medical places in IN, MI, et al. I doubt I'm going to sign on to Experian cuz what good does "monitoring" do really...I mean, if they were about circumventing possible issues, ok. I like that class action lawsuit idea, but it'd probably take a lifetime to get any kind of result. Gosh, I sound so negative and jaded and I'm not much that way in life; it's just that this security stuff is wearing, frustrating, and a bit nerve-wracking insofar as 'what next'. I'm all for hearing any advice you all have to offer because I'm not savvy with stuff like this at all!

Colette

Alabama can be added to the list of states.

Elizabeth Baugh

My husband and I both received the letter - we are in TN - can't figure what our connection is to Concentra?? Trying to figure out if this Experian step is worth it.... Really tired of all these breaches....

Frustrated in WY

I received the same letter. Called the hotline in the letter, waited almost an hour to be connected to a representative. The letter stated I could obtain the identity of the affected healthcare provider. The representative told me they had absolutely no information on the identity of the healthcare provider. I waited on hold for almost an hour to get absolutely NO information that the letter informed me I could obtain. Very frustrating.

Bart Kolodziejczak

A friend of mine in FL got the letter a couple of days ago and I got it yesterday in AZ. My thought is this feels scammy, like some way to generate business for Experian. After two years, will the Experian coverage just stop, or will they just start billing me and I would have to contact them to get rid of it? I plan to toss this letter and just watch my finances on my own with the protections I already have in place.

Jennifer

I contacted my local Concentra which I had visited a few years back, their administrator confirmed that they received a data breach email from MIE and gave me her contact # for them. I spoke to a representative today and he assured me for my name, birthdate, phone and address were leaked (but not my social security number). I'm keeping the letter in case anyone tries to steal my identity down the road, but the reviews for Experian ProtectMyID are not good. I'll keep checking my insurance claims now like I check my credit cards and banking activity. This is such a huge inconvenience. Makes me want to pay cash for everything and skip any service that requires relinquishing personal information. Pain in the ...

George

Everyone:

For those who want to learn more about HIPAA, what information is protected, and your rights, I found this page a good place to start reading:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

And, you may find this helpful:
http://healthcare.findlaw.com/patient-rights/what-can-i-do-after-an-improper-disclosure-of-medical-records.html/

It seems that the information compromised in the MIE breach varies by person. Some people had more info exposed than others. So, any HIPAA complaint you submit will vary given your situation. See the breach notice you received from MIE and use the data elements listed in it with your complaint submission.

George
Editor
http://ivebeenmugged.typepad.com

Stacey

Update - just found out that we got the letter because my husband is an employee of HP and it was through their benefits dept using Concentra.

George

Stacey:

Thanks for sharing. Your situation is different from my wife's because you have a clear, valid connection to Concentra via health care services through your husband's employer. My wife and I do not have such a connection to Concentra. We are trying to find out how Concentra got her information.

What makes the whole thing tricky is that the amount of information compromised by the MIE breach seems to vary by person. You may (or may not) have had a lot more information compromised than my wife. Your breach notice from MIE should list the data elements compromised, and if the elements apply to one or more persons (e.g., your husband, you, children). I do not know your particulars, nor if MIE offered to you the same Experian credit monitoring services that it offered to my wife.

If you can share more, that would be great. I am curious to hear, but don't break any confidentiality. And, I think that other breach victims are curious, too.

George
Editor
http://ivebeenmugged.typepad.com

Stacey

Sure - As for what was breached, my letter says SSN, Address, DOB; my husband's letter says SSN, Address, DOB, & Email address.

Yes, they offered us the same protection service thru Experian that others have mentioned above.

The Email from HR explained "HP provided eligibility data to Concentra so that employees and spouses would be able to participate in the screening process and earn wellness incentive credits. The data was used by Concentra solely for member identification purposes." I do not believe they are using Concentra any longer. They recommend you sign up for the credit monitoring, and finish with "For more information regarding the specifics of the security breach and the services MIE has put in place, please visit https://www.mieweb.com/notice/ or call 1-866-328-1987."

Chanson de Roland

This thing that this latest data breach brings home for me and, I think, for us all is just how valuable our personal information is and how, even our Protected Health Information (PHI), is collected, traded, and otherwise used for others' profits without any meaningful consent from each of us. Indeed, users' personal information is the modern Internet's currency, which is the source nearly every Internet firms' revenues and profits, but especially of those who offer services and goods to us without charging a price in money for those goods and services. There is an old saying from earlier days of the Internet that captures this well: "If you're not paying for something, you're not the customer; you're the product being sold."

So we have all been reduced to being mere chattels. And we are so reduced because our personal information, the information that we author by and through our actions, belongs to everyone except us. And since we are our information and the acts that create it, it follows that, our information not being ours but belonging to others, we, a fortiori, are just others' property. And being nothing more than property, our rights, the right to privacy, our dignity, etc., must be subordinate and subservient to the true owners', Google, Facebook, MIE, and their ilk's, rights and interests.

So get use to being sold on the Internet and its modalities, and get use to nefarious people breaking into your owners' computers to steal you, i.e., your personal information, so that they can sell or otherwise exploit you through fraud, extortion, or by some other nefarious means.

How did this happen? And when did we cease to own the personal information that is such an essential part of who we are and become another's property, having only those limited rights and remedies that government deigns to grant us, rather than stronger, fuller, and complete constitutional rights as the owners of our personal information?

Misty

I am in Kentucky and also received the 17 July security breach letter offering 2 years free credit monitoring by Experian's ProtectMyID Elite. This letter states information that was compromised but does not state in any way what facility or any association that it may have come from. Today is Saturday; so I will have to call on Monday for more info. Good luck everyone.

Tracy

We received the same letter from MIE and our problem is that we both have the same 1st name and were confused as to who the letter is to since it only has 1st and last name on it and no other identifying items. But I did work for HP/Compaq for 19 years, and quit 2 years ago this past July. So if the letter is to me I guess it doesn't matter if HP still uses Concentra or not since they still have our info on file. Personally I believe not being able to use your SSN for anything besides your job reporting your earned income to IRS and SSA would go a long way in helping prevent use of your info obtained in data breaches.

J Whiley

My mother received the same letter..Wichita, KS and my first look at the letter it appears to be a scam. The letter gives a scare tactic then wants to offer "free" two year protection by signing up with ProtectMyID...who knows this Eric Jones may be gettng a bonus everytime someone signs up. Remember nothing is free. I will continue to reserch.
Thanks...really appreciate everyone's feedback.

George

Everyone:

You may find the information in Monday's blog post helpful:

Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian
http://ivebeenmugged.typepad.com/my_weblog/2015/08/lawsuits-mie-experian.html

As I learn more, I will share it in blog posts.

George
Editor
http://ivebeenmugged.typepad.com

Kim

I received the letter maybe a week or so ago -- it's been sitting in a pile of mail that I just got around to opening this morning. I live in TN and have never dealt with anyone at Concentra -- I've never received a bill from a Concentra, used an urgent care under that name, been drug tested by one of their facilities, etc. You made mention above in your post about speaking to someone at "Epic" and I do know that Epic is now the online medical records provider that one of our large local hospitals has gone to so I'm wondering if this is the connection for me. Supposedly just my address, phone and birth date was leaked. No wonder I can't get the hell off any do not call lists. What a joke of a country we live in. I don't think the ProtectMyID is a scam -- it's just one more lame attempt at covering someone's you know what.

Bobbie

George,
I live in Ohio; add that to the list of states affected. I and several family members received the MIE letters. I receive medical services in Fort Wayne, IN, home of MIE. Several of my docs and health care providers are on the breach list. Also, FW is home to the Journal-Gazette newspaper; article previously mentioned. I suspect that some of my family members' info was compromised, because I had added them to MY emergency contact lists. If I had not added them, then they would not be able to obtain ANY info about my medical condiditon.
I am outraged at MIE. It is my understanding that it is not all that difficult to have security measures in place on computer systems right from the get-go. After reviewing MIE's own web site, I see that they wholeheartedly brag about their credentials what a wonderful business they have built. No where did they mention that their customer's information security was a priority, or how they were managing that.
Although those who actually steal from others (i.e., identity theives) should be punished, I also believe that the MIE execs should be held accountable. The MIE letter states, "We take the security...very seriously...and apologize for the inconvenience." Are you kidding me? How is "taking seriously" and "apologizing" helping me and the 5 million others?!? Note that only 1.5 million are Hoosiers; the other nearly 4 million are from other states. If MIE is truly sorry, they will make lifetime restitution to those of us whose personal information has been compromised AND cover the lifetime expenses of those whose identities are actually stolen. I believe that each and every individual who received the MIE letter should, minimally, have a LIFETIME of the BEST IDENTITY THEFT PROTECTION paid for in full by MIE. None of this 2-year nonsense. Theives can be quite patient. Two years isn't all that long. And call me skeptical--but, I've dealt with trying to stop credit card payments before--they will keep withdrawing the money from your account; it is extremely difficult to stop after the "free trial" period.
Although, according to the Journal Gazette, a lawyer from Indianapolis is currently filing a 5 million dollar suit against MIE, how will that help Hoosiers and how will it help the non-Hoosiers? I would like to hear from the lawyer for his take on all of this. I will continue to follow others' reactions to this issue. Thanks.

George

Misty, Tracey, and J Whiley: thanks for sharing!

Irma: about your question of what to put in a HIPAA complaint, I have not forgotten you. I am still researching answers. More to come. Please hang in there.

Kim: just like you, my wife and I never used Concentra urgent care services. That's why I contacted them to learn from Concentra exactly how they acquired my wife's info. Hopefully, I will get some answers soon. Will share what I learn.

Bobbie: I understand how you feel. We feel much the same way. If you read HIPAA laws, they seem tilted towards employers sharing information with health care providers. The general lack of notice and consent are troublesome.

George
Editor
http://ivebeenmugged.typepad.com

Jessica

Hello,

This is a good article to read about the different providers associated with the breach:

http://www.net-security.org/secworld.php?id=18700

and

http://www.mieweb.com/notice/

and

http://www.mieweb.com/notice/faqs

Plus, I had issues with Experian Protect My ID as well but switched to a computer. The signon should be the email you used in step#1. I only found this out by switching to signing on by computer and it auto populated that field for me.

Hope this helps some :)

From what I can tell the information stolen can be dated back to 1997.

Daniella

Hello, My parents received the same letter. I let them know to check their credit cards and checking accounts and then keep an eye out and keep the letter. I was going to have them sign up for the experian but from what is listed above no one is doing it. Any advice suggestions? I feel terrible and hope this doesn't affect anyone and my parents for that matter.

R e

My wife works at HP but we have never used HP's health benefits. Now my information is compromised !!! Why would they share our data with Concentra who apparently shared it with MIE when we don't even use these benefits. . And why is there never any liability for these Breaches? This will continue to happen until there are severe financial consequences for all the companies that are careless.

Mike P

Add Georgia to the list. I live here for over 28 years. I also worked at DEC/Compaq/HP since 1976. HIPAA sounds great in concept and on paper, but seldom (if ever) are enforcement actions taken with real teeth. A universal class action suit with federal investigation (FBI) should be aggressively pursued. There's just too many cracks/gaps in current revelations. Still waiting for a clear consensus on joining the Experian monitoring service. There doesn't appear to be a monitoring service for health (non-credit) clearinghouse.
Mike P

Daniella

So, here is the question should you do the Experian free trial for 2 years, You have until October to sign up? Thoughts anyone?

Brad Hancock

B. here from Texas. Got the letter myself last week. What is really strange about the whole affair is that at least 90% of my coworkers also received the letter from MIE (not No More Clipboard). I work at a nuclear power plant. We have direct employees and contract employees here on site. Each contractor has their own health plans run completely independent of ours, yet many of the contracted employees also received these notices. There is one thing that we all have in common - continuous random drug testing & initial hire drug screening. I wonder if the laboratory we use (Quest Diagnostics) was a silent partner of this data breach? I am suspicious of that one common tie since if it was a breach through our corporate insurance policies, wouldn't my wife also have received a notice? The few cases where a spouse or dependent also received a notice the only common tie was through routine testing for an existing medical condition - and they used Quest Diagnostics. I have never used a Concentra urgent care clinic, nor have I ever submitted data to them for any type of medical benefit screenings either.

Like others, I called the information hot line and got very little useful information. I did sign up for the credit monitoring. It was uneventful and actually went pretty smoothly. I used a desktop from my home to sign up, after verifying that I had a secure connection. Of course that could have been spoofed to, I know.

Like others have posted, I too think that there is a lot of information that is being withheld at this time - for what reason I have no idea. Could it be that the very low-key dissemination of the magnitude of this breach was designed to not cast doubts upon the EHR mandate of the Affordable Care Act?

George

Brad:
Sorry to hear you were affected. You raise a good question. This document (Adobe PDF format) suggests a business relationship between Medical Informatics Engineering (MIE) and Quest Diagnostics:
https://www.questdiagnostics.com/dms/Documents/hit_quality_solutions/commercial_connectivity_solutions_dec2014-1-/commercial_connectivity_solutions_dec2014%5B1%5D.pdf

Scroll down to page 11. As you can see in the link, this document resides at the Quest Diagnostics site. I found it in 5 minutes with a Google.com search. So, you might call Quest Diagnostic's customer service department and demand some explanations about: a) their business relationship(s) with MIE; b) what data they share with MIE; c) and that you don't consent to the data sharing, since MIE has shown it can't protect it. You might also call MIE and ask them why Quest Diagnostics was not listed in their announced list of affected vendors.

This suggests that the breach is broader than we all thought.

George
Editor
http://ivebeenmugged.typepad.com

George

Jessica: thanks for providing the link to the Help Net Security article. The article mentioned 5.5 million affected consumers, which seems too high. Why? The U.S. Department of Health & Human Services listed today 3.9 million consumers affected by the breach.

Mike P, Daniella, Bobbie, and R e: thanks for sharing your experiences. As Bobbie wrote, 2 years isn't that long. I agree that thieves are craft, persistent, and patient. Whatever you decide to do, you'll have to take precautions for longer than 2 years. My wife and I have credit freezes on our credit reports. That prevents financial fraud, but not medical fraud.

Everyone: I hope to have more information in another blog post soon.

George
Editor
http://ivebeenmugged.typepad.com

Pam

Texas residents also affected. Rec'd letter that my SSAN,name, etc. were stolen. Be aware that if you sign up for the free two years of protection, you are agreeing that you cannot participate in any class action suit, even after cancellation of policy. Individual arbitration only option. Also, the agreement applies to many entities that are not named (referred to as subsidiaries, parent entities, affiliates, etc...)

Many facilities download PHI from regional and national databases (HIEs) or hospital systems. That might explain why so many don't know how their information was acquired. HIEs are not a good thing - too fraught with danger for the consumer until better security and breach impact responsiblity laws are in place.

Thanks for the information. Look forward to follow up.

Marnie C. Lambert

I am in Ohio and I received one of the July 17th letters too, as did a friend of mine. We cannot figure out what medical provider we have in common that may have used a product or service of MIE and, like others on here,"Concentra" is referenced but is a company with which I am not familiar. It hardly seems right that victims should have to give up anything in order to receive the monitoring/credit protection that MIE itself must think we need due the data breach at their company. If MIE is going to provide supposed protection to victims, that protection should not be conditioned on the victims accepting the protection giving up their right to file a lawsuit (class action or otherwise) against MIE for any damages they may suffer. Something about that approach by MIE just leaves a bad taste in my mouth.

George

Pam and Marni:

Thanks for sharing your comments and experiences. I agree, it is frustrating. Companies seem to easily buy and sell consumers' medical information without consumers' consent. Since consumers can lock down our credit reports, it seems logical that consumers should be also be able to lock down their medical records. The latter is something we all should demand of our elected officials.

About the binding arbitration clause in the credit monitoring agreement, I checked the Terms and Conditions page for ProtectMyID (http://www.protectmyid.com/terms/ ). It read:

"This ProtectMyID product ("ProtectMyID") Membership Agreement ("Agreement") is between you and ConsumerInfo.com, Inc. ("CIC" "us" "our" or "we") and explains the terms and conditions under which you may use the ProtectMyID.com ("Website") and the ProtectMyID product, including without limitation, any paid product upgrade features, where applicable, such as ChildSecure and RestoreMyID ("Product")... WE EACH AGREE TO RESOLVE THOSE DISPUTES THROUGH BINDING ARBITRATION OR SMALL CLAIMS COURT INSTEAD OF IN COURTS OF GENERAL JURISDICTION TO THE FULLEST EXTENT PERMITTED BY LAW. ARBITRATION IS MORE INFORMAL THAN A LAWSUIT IN COURT. ARBITRATION USES A NEUTRAL ARBITRATOR INSTEAD OF A JUDGE OR JURY, ALLOWS FOR MORE LIMITED DISCOVERY THAN IN COURT, AND IS SUBJECT TO VERY LIMITED REVIEW BY COURTS. ARBITRATORS CAN AWARD THE SAME DAMAGES AND RELIEF THAT A COURT CAN AWARD. ANY ARBITRATION UNDER THIS AGREEMENT WILL TAKE PLACE ON AN INDIVIDUAL BASIS; CLASS ARBITRATIONS AND CLASS ACTIONS ARE NOT PERMITTED. CIC WILL PAY ALL COSTS OF ARBITRATION, NO MATTER WHO WINS, SO LONG AS YOUR CLAIM IS NOT FRIVOLOUS. HOWEVER, IN ARBITRATION, BOTH YOU AND CIC WILL BE ENTITLED TO RECOVER ATTORNEYS’ FEES FROM THE OTHER PARTY TO THE SAME EXTENT AS YOU WOULD BE IN COURT... For purposes of this arbitration provision, references to "CIC," "you," and "us" shall include our respective parent entities, subsidiaries, affiliates, agents, employees, predecessors in interest, successors and assigns, websites of the foregoing, as well as all authorized or unauthorized users or beneficiaries of services, products or information under this or prior Agreements between us. Notwithstanding the foregoing, either party may bring an individual action in small claims court..."

It seems that binding arbitration is between CIC and the ProtectMyID user, and does not include MIE. You are correct to be concerned as nobody wants to give up their legal rights against MIE. What gives you the impression that binding arbitration includes MIE?

Last, binding arbitration clauses are usually not consumer friendly. I explored the reasons why in this blog post:

10 Tips About How To Read Terms Of Use And Privacy Policies
http://ivebeenmugged.typepad.com/my_weblog/2015/06/how-to-read-policies.html

George
Editor
http://ivebeenmugged.typepad.com

Marnie C. Lambert

Thank you for that clarification George! It certainly does not sound like there are any "strings attached" to the free 2 year protection being offered by MIE so that is a big relief! I am not surprised that there is a class action waiver or mandatory arbitration clause in an agreement with a credit monitoring company. I am so frustrated with how many security breaches of private health and financial information there are these days! It makes you wonder if the healthcare industry and the financial industry are really spending the time and money they are supposed to be on keeping our sensitive personal information confidential. From what I have read, the cost of cybercrimes to Americans is staggering. Thanks for shining a light on these important issues!

Sandra

Thank you for posting this George. My story is exactly the same as yours including the date on the letter, the claim that a company I've never heard of, Concentra, was the source. I have no idea exactly what data of mine was compromised or where that data came from. I'm dismayed to learn that companies have my personal data in their systems yet I have no idea how or why it got there... did I give permission for them to have it (buried somewhere in 50 page long terms of use)? I awoke this morning to an email alert from ProtectMyID and was extremely panicked until I finally determined (after waiting on hold with Experian for over an hour listening to horrible anxiety producing music) that it was a legitimate credit update. As the weeks and months go by the chances of our sensitive data being used for nefarious purposes increases. I believe we should have protection from ALL the credit monitoring companies, not just one. It should also extend out at least 5 years. We many be able to change our passwords and email addresses, but our names, SSN, birth dates don't change after the 2 year monitoring expires...

George

Sandra:
Thanks for sharing. I agree. It is frustrating. Infuriating, too. 2 years is not long enough. Not even close. The risk will be there for a long time.

I have had several conversations with Concentra about when, where, and how they acquired my wife's information. And, all of this assumes MIE's records are accurate. As I learn more, I will share it. Stay tuned.

George
Editor
http://ivebeenmugged.typepad.com

Steve Schack

Thanks to everyone for the information on this site. I live in the state of Washington. I received the July 17 letter a couple of weeks ago and have been wondering about it's legitimacy. My letter only mentions NoMoreClipboard but contains no reference to MIE or Concentra. The letter states that the compromised data includes: Address, Email, UserName, Password, and Security Question. In order to activate the Experian ProtectMyID service I would need to enter additional information including my SSN. Somehow, providing more sensitive data to potentially limit the effects of a theft of less sensitive data doesn't seem like a prudent thing to do. For now I am going to pass on the Experian offer, but I will continue monitoring this site for new developments.

Lee

I just signed up on the protectmyid, and realized it might be a scam. What i can do to protect my id security now? Thanks in advance

George

Lee:
Experian is a real company. And, it's ProtectMyID is a real service. So, I don't know what you mean when you use the word "scam." A lot of people use that word without knowing its legal meaning.

It sounds like you might be worried that you may not get the value you hoped. If you are truly concerned, then maybe get a consultation with a privacy attorney to help you review the ProtectMyID agreement. Or, maybe get an attorney to help you decide if the class action against MIE is for you. I do not know your situation.

George
Editor
http://ivebeenmugged.typepad.com

Cindy Cole

Hello George,
I have been out of town and just opened my July 17 letter from MIE. The client they mention is RediMed. I have never heard of it before. I looked up RediMed, but did not recognize any of the providers they listed. Do I follow the same procedure and sign up with Experian. Should I contact my Credit Union? Thank you, Cindy

George

Cindy:

Thanks for sharing your experience. MIE did list RediMed on its above list of clients. You might contact RediMed and ask them to explain exactly when, how, and why they acquired your information, since the RediMed name is unfamiliar to you. I'd be interested in hearing RediMed's explanation, if they give one.

I cannot give you advice about whether or not to sign up for the free Experian credit monitoring service MIE arranged, since I do not know your specific situation. Free is often good. Of course, you should protect yourself. You have several options to do so. Of course, you should closely read the terms and conditions with the free Experian credit monitoring MIE has arranged for its breach victims. You may or may not find those terms agreeable. If there are portions of those terms you don't understand, then maybe get a consultation with an attorney.

Or, you may decide to do-it-yourself and place a Security Freeze on your credit reports. There are several blog posts in this blog about Security Freezes. Or, you may decided to use a competitive branded credit monitoring service, and pay for it. And, of course you should always inspect your bank account (and credit card) statements for any fraudulent entries.

You may be interested in filing a HIPAA complaint. Or. maybe you are interested in joining one of the class action lawsuits. There are several:

Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian
http://ivebeenmugged.typepad.com/my_weblog/2015/08/lawsuits-mie-experian.html

Good luck, and let us know what you decide.

George
Editor
http://ivebeenmugged.typepad.com

George

Readers:

My wife and I got some answers to our questions about how Concentra obtained her information. See this update:

FYI: Medical Informatics Engineering, Concentra, Employers, Data Sharing, & Privacy
http://ivebeenmugged.typepad.com/my_weblog/2015/09/update-mie-breach.html

Feel free to share this with others.

George
Editor
http://ivebeenmugged.typepad.com

Sara

Obviously I don't check my mail frequently... just opened a similar notification. Add Michigan to your list.

I'm 25, and I have very little money and almost no knowledge about any of this mumbo jumbo. I certainly don't have a lawyer, and I could not afford one. I went to concentra ONCE a couple of years ago to make sure I didn't have strep.

From what I can tell, the general consensus is that Experian's offered service is not particularly helpful. I am not sure if I should even bother with it, and, given their reputation, I AM concerned that after the stated two years they will start charging me for services without proper notification.

Are we SOL? Stupid cyber-life!

stacy

Has anybody ever head back from HHS CRU after reporting a breach? I have filed two, not for this breach, but have never heard if they will even take my complaint.

The comments to this entry are closed.

Follow

  • Updates via E-mail RSS Feed Updates via Twitter Updates via Facebook

About

  • Bloggers' Rights at EFF
  • George Jenkins, author of the I've Been Mugged Blog

..

  • © 2007 - 2017. George Jenkins. All Rights Reserved.

.

  • <$MTStatsScript$>