In early June, Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.
The July 24, 2015 MIE press release about the breach
"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."
NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.
According to its breach FAQ page, MIE's client list includes:
- Concentra,
- Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
- Franciscan St. Francis Health Indianapolis,
- Gynecology Center, Inc. Fort Wayne,
- Rochester Medical Group,
- RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)
NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):
NoMoreClipboard.com Clients Affected By Data Breach |
Advanced Cardiac Care Advanced Foot Specialists All About Childrens Pediatric Partners, PC Allen County Dept of Health Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center Altagracia Medical Center Anderson Family Medicine Arkansas Otolaryngology, P.A. Auburn Cardiology Associates Basedow Family Clinic Inc. Bastrop Medical Clinic Batish Family Medicine Beaver Medical Boston Podiatry Services PC Brian Griner M.D. Brightstarts Pediatrics Burnsville Medical Center Capital Rehabilitation Cardiovascular Consultants of Kansas Carl Gustafson OD Carolina Gastroenterology Carolina Kidney & Hypertension Center Carolinas Psychiatric Associates Center for Advanced Spinal Surgery Chang Neurosurgery & Spine Care Cheyenne County Hospital Children's Clinic of Owasso, P.C. Clara A. Lennox MD Claude E. Younes M.D., Inc. CMMC Coalville Health Center Cornerstone Medical and Wellness, LLC Cumberland Heart David A. Wassil, D.O. David M Mayer MD Dr. Alicia Guice Dr. Anne Hughes Dr. Buchele Dr. Clark Dr. Harvey Dr. John Labban Dr. John Suen Dr. Puleo Dr. Rajesh Rana Dr. Rustagi Dr. Schermerhorn Dr. Shah Ear, Nose & Throat Associates, P.C. East Carolina Medical Associates Eastern Washington Dermatology Associates Ellinwood District Hospital Family Care Chiropractic Center Family Practice Associates of Macomb Family Practice of Macomb Floyd Trillis Jr., M.D. Fredonia Regional Hospital Fremont Family Medicine Generations Primary Care Grace Community Health Center, Inc. Grisell Memorial Hospital Harding Pediatrics LLP Harlan County Health System Health Access Program Heart Institute of Venice Henderson Minor Outpatient Medicine Henry County Hospital myhealth portal Highgate Clinic Hobart Family Medical Clinic Howard Stierwalt, M.D. Howard University Hospital Hudson Essex Nephrology Huntington Medical Associates Huntington Medical Group Hutchinson Regional Medical Center Idaho Sports Medicine Institute In Step Foot & Ankle Specialists Independence Rehabilitation Inc Indiana Endocrine Specialists Indiana Internal Medicine Consultants Indiana Ohio Heart Indiana Surgical Specialists Indiana University Indiana University Health Center Indianapolis Gastroenterology and Hepatology Internal Medicine Associates IU — Northwest Jackson Neurolosurgery Clinic James E. Hunt, MD Jasmine K. Leong MD Jewell County Hospital John Hiestand, M.D. Jonathan F. Diller, M.D. Jubilee Community Health Kardous Primary Care Keith A. Harvey, M.D. Kenneth Cesa DPM Kings Clinic and Urgent Care |
Kiowa County Memorial Hospital Kristin Egan MD Lakeshore Family Practice Lane County Hospital Logan County Hospital Margaret Mary Health Masonboro Urgent Care McDonough Medical Group Psychiatry Medical Care, Inc. Medical Center of East Houston Medicine Lodge Memorial Hospital MedPartners MHP Cardiology Michael Mann, MD, PC Michelle Barnes Marshall, P.C. Michiana Gastroenterology, Inc. Minneola District Hospital Mora Surgical Clinic Moundridge Mercy Hospital Inc myhealthnow Nancy L. Carteron M.D. Naples Heart Rhythm Specialists Nate Delisi DO Neighborhood Health Clinic Neosho Memorial Regional Medical Center Neuro Spine Pain Surgery Center Norman G. McKoy, M.D. & Ass., P.A. North Corridor Internal Medicine Nova Pain Management Novapex Franklin Oakland Family Practice Oakland Medical Group Ohio Physical Medicine & Rehabilitation Inc. On Track For Life Ottawa County Health Center Pareshchandra C. Patel MD Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington Parkview Health System, Inc. d/b/a Fort Wayne Cardiology Parrott Medical Clinic Partners In Family Care Personalized Health Care Of Tucson Phillips County Hospital Physical Medicine Consultants Physicians of North Worchester County Precision Weight Loss Center Primary & Alternative Medical Center Prince George's County Health Dept. Rebecca J. Kurth M.D. Relief Center Republic County Hospital Ricardo S. Lemos MD Richard A. Stone M.D. Richard Ganz MD River Primary Care Rolando P. Oro MD, PA Ronald Chochinov Sabetha Community Hospital Santa Cruz Pulmonary Medical Group Santone Chiropractic Sarasota Cardiovascular Group Sarasota Center for Family Health Wellness Sarasota Heart Center Satanta District Hospital Saul & Cutarelli MD's Inc. Shaver Medical Clinic, P. A. Skiatook Osteopathic Clinic Inc. Sleep Centers of Fort Wayne Smith County Hospital Smith Family Chiropractic Somers Eye Center South Forsyth Family Medicine & Pediatrics Southeast Rehabilitation Associates PC Southgate Radiology Southwest Internal Medicine & Pain Management Southwest Orthopaedic Surgery Specialists, PLC Stafford County Hospital Stephen Helvie MD Stephen T. Child MD Susan A. Kubica MD Texas Childrens Hospital The Children's Health Place The Heart & Vascular Specialists The Heart and Vascular Center of Sarasota The Imaging Center The Johnson Center for Pelvic Health The Medical Foundation, My Lab Results Portal Thompson Family Chiropractic Trego County Hospital Union Square Dermatology Volunteers in Medicine Wells Chiropractic Clinic Wichita County Health Center William Klope MD Wyoming Total Health Record Patient Portal Yovanni Tineo M.D. Zack Hall M.D. |
The MIE press release included few details about exactly how hackers accessed its systems:
"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."
The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?
The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.
MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.
The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:
"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal and protected health information. This letter contains details about the incident and our response..."
My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:
"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"
This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.
Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:
"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."
This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.
I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.
Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.
The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.
What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.
I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:
"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."
"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."
"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."
Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.
So, what to make of this breach? I see several issues:
- Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
- Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
- Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
- Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).
In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.
During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.
Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?