Medical Informatics Engineering Breach Highlights Breach Notice, Privacy, And Cloud-Storage Issues
Tuesday, July 28, 2015
In early June, Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.
The July 24, 2015 MIE press release about the breach
"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."
NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.
According to its breach FAQ page, MIE's client list includes:
- Concentra,
- Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
- Franciscan St. Francis Health Indianapolis,
- Gynecology Center, Inc. Fort Wayne,
- Rochester Medical Group,
- RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)
NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):
NoMoreClipboard.com Clients Affected By Data Breach | |
---|---|
Advanced Cardiac Care Advanced Foot Specialists All About Childrens Pediatric Partners, PC Allen County Dept of Health Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center Altagracia Medical Center Anderson Family Medicine Arkansas Otolaryngology, P.A. Auburn Cardiology Associates Basedow Family Clinic Inc. Bastrop Medical Clinic Batish Family Medicine Beaver Medical Boston Podiatry Services PC Brian Griner M.D. Brightstarts Pediatrics Burnsville Medical Center Capital Rehabilitation Cardiovascular Consultants of Kansas Carl Gustafson OD Carolina Gastroenterology Carolina Kidney & Hypertension Center Carolinas Psychiatric Associates Center for Advanced Spinal Surgery Chang Neurosurgery & Spine Care Cheyenne County Hospital Children's Clinic of Owasso, P.C. Clara A. Lennox MD Claude E. Younes M.D., Inc. CMMC Coalville Health Center Cornerstone Medical and Wellness, LLC Cumberland Heart David A. Wassil, D.O. David M Mayer MD Dr. Alicia Guice Dr. Anne Hughes Dr. Buchele Dr. Clark Dr. Harvey Dr. John Labban Dr. John Suen Dr. Puleo Dr. Rajesh Rana Dr. Rustagi Dr. Schermerhorn Dr. Shah Ear, Nose & Throat Associates, P.C. East Carolina Medical Associates Eastern Washington Dermatology Associates Ellinwood District Hospital Family Care Chiropractic Center Family Practice Associates of Macomb Family Practice of Macomb Floyd Trillis Jr., M.D. Fredonia Regional Hospital Fremont Family Medicine Generations Primary Care Grace Community Health Center, Inc. Grisell Memorial Hospital Harding Pediatrics LLP Harlan County Health System Health Access Program Heart Institute of Venice Henderson Minor Outpatient Medicine Henry County Hospital myhealth portal Highgate Clinic Hobart Family Medical Clinic Howard Stierwalt, M.D. Howard University Hospital Hudson Essex Nephrology Huntington Medical Associates Huntington Medical Group Hutchinson Regional Medical Center Idaho Sports Medicine Institute In Step Foot & Ankle Specialists Independence Rehabilitation Inc Indiana Endocrine Specialists Indiana Internal Medicine Consultants Indiana Ohio Heart Indiana Surgical Specialists Indiana University Indiana University Health Center Indianapolis Gastroenterology and Hepatology Internal Medicine Associates IU — Northwest Jackson Neurolosurgery Clinic James E. Hunt, MD Jasmine K. Leong MD Jewell County Hospital John Hiestand, M.D. Jonathan F. Diller, M.D. Jubilee Community Health Kardous Primary Care Keith A. Harvey, M.D. Kenneth Cesa DPM Kings Clinic and Urgent Care |
Kiowa County Memorial Hospital Kristin Egan MD Lakeshore Family Practice Lane County Hospital Logan County Hospital Margaret Mary Health Masonboro Urgent Care McDonough Medical Group Psychiatry Medical Care, Inc. Medical Center of East Houston Medicine Lodge Memorial Hospital MedPartners MHP Cardiology Michael Mann, MD, PC Michelle Barnes Marshall, P.C. Michiana Gastroenterology, Inc. Minneola District Hospital Mora Surgical Clinic Moundridge Mercy Hospital Inc myhealthnow Nancy L. Carteron M.D. Naples Heart Rhythm Specialists Nate Delisi DO Neighborhood Health Clinic Neosho Memorial Regional Medical Center Neuro Spine Pain Surgery Center Norman G. McKoy, M.D. & Ass., P.A. North Corridor Internal Medicine Nova Pain Management Novapex Franklin Oakland Family Practice Oakland Medical Group Ohio Physical Medicine & Rehabilitation Inc. On Track For Life Ottawa County Health Center Pareshchandra C. Patel MD Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington Parkview Health System, Inc. d/b/a Fort Wayne Cardiology Parrott Medical Clinic Partners In Family Care Personalized Health Care Of Tucson Phillips County Hospital Physical Medicine Consultants Physicians of North Worchester County Precision Weight Loss Center Primary & Alternative Medical Center Prince George's County Health Dept. Rebecca J. Kurth M.D. Relief Center Republic County Hospital Ricardo S. Lemos MD Richard A. Stone M.D. Richard Ganz MD River Primary Care Rolando P. Oro MD, PA Ronald Chochinov Sabetha Community Hospital Santa Cruz Pulmonary Medical Group Santone Chiropractic Sarasota Cardiovascular Group Sarasota Center for Family Health Wellness Sarasota Heart Center Satanta District Hospital Saul & Cutarelli MD's Inc. Shaver Medical Clinic, P. A. Skiatook Osteopathic Clinic Inc. Sleep Centers of Fort Wayne Smith County Hospital Smith Family Chiropractic Somers Eye Center South Forsyth Family Medicine & Pediatrics Southeast Rehabilitation Associates PC Southgate Radiology Southwest Internal Medicine & Pain Management Southwest Orthopaedic Surgery Specialists, PLC Stafford County Hospital Stephen Helvie MD Stephen T. Child MD Susan A. Kubica MD Texas Childrens Hospital The Children's Health Place The Heart & Vascular Specialists The Heart and Vascular Center of Sarasota The Imaging Center The Johnson Center for Pelvic Health The Medical Foundation, My Lab Results Portal Thompson Family Chiropractic Trego County Hospital Union Square Dermatology Volunteers in Medicine Wells Chiropractic Clinic Wichita County Health Center William Klope MD Wyoming Total Health Record Patient Portal Yovanni Tineo M.D. Zack Hall M.D. |
The MIE press release included few details about exactly how hackers accessed its systems:
"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."
The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?
The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.
MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.
The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:
"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal and protected health information. This letter contains details about the incident and our response..."
My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:
"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"
This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.
Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:
"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."
This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.
I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.
Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.
The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.
What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.
I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:
"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."
"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."
"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."
Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.
So, what to make of this breach? I see several issues:
- Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
- Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
- Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
- Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).
In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.
During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.
Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?
Found you on twitter while searching @MIEHR. Thank you for taking the time to post this information. It's more than you can get from MIE. I, like a lot of others, got my notice this morning about the breach and MIE's lack of security and wondered why this was the first time I'm hearing about this. I'm sure the providers have known for months. It's nice how the letter tells me all the things I should do to address their mistake but MIE doesn't once apologize for their failure to protect my information. I'll keep up with your blog and appreciate your efforts.
Posted by: Willbert | Tuesday, July 28, 2015 at 01:42 PM
Willbert:
Thanks for the comment. Glad that you found the blog post helpful and informative. When I learn more, I will post on this blog. So far, no replies from MIE via Twitter.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Tuesday, July 28, 2015 at 01:53 PM
My husband and I each got a letter. We also live in Mass. I started to research tonight to see if this is a scam. Sounds legit I guess, but I'd like to know how they got our medical info too. My husband has had very little need for medical attention for years, so not many institutions have has info - aside from pharmacies. Very confusing. Thanks!
Posted by: Stacey | Tuesday, July 28, 2015 at 08:16 PM
My wife and I got our July 17, 2015 dated notices today. Same text. And we are in Denver and have been here for 20+ years. Recognize none of the above clients and have never been with Concentra. Really makes me wonder why and how they have our info. Also thought scam initially, but as noted above sounds legit scanning mie and other sites.
Growing tired of these. Got caught up in the Home Depot breach and that protection is still in place for a bit more, but not confident that service will catch anything anyway. Froze credit accounts years ago
Agree with above issues but nothing will never happen. Too much data and too little security as these companies are clueless on security. Give me a Linux system and I'll lock it down for you. Forget Windows and the Cloud. Cloud system security is far behind the technology. Multiple VMs on one server rented for business use. Just rent VM time and hack away....
Thanks.
-ken
Posted by: Ken | Tuesday, July 28, 2015 at 11:36 PM
I, too, rec'd letter, but don't know why they have my info. I visited dentist about a year ago and had eyes checked in June 2015. What is MIE doing with my name, etc. I'm confused and concerned. Also, I followed instructions provided in letter, but was unable to enroll ProtectMyID...Help?
Posted by: Dana | Wednesday, July 29, 2015 at 03:53 AM
Everyone:
Thanks for sharing your comments. You are not alone. This morning, I spoke with Concentra's regional human resources manager, Mrs. Wallace. She was very helpful. As I learn more, I will post it on this blog. There much more to this story.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Wednesday, July 29, 2015 at 10:44 AM
so, is anyone going to enroll in the experian protection???
any suggestions on what we should/shouldn't do is much appreciated.
Posted by: Stacey | Wednesday, July 29, 2015 at 10:52 AM
Stacey:
I am curious to hear what other people's decision is about whether or not to sign up for the free Experian ProtectMyID Elite service arranged by MIE. Our decision whether or not to sign up will be based upon:
1. What we learn about the extent of the breach,
2. Limited coverage: as explained in the above blog post,
3. As you know, a CREDIT monitoring service does little to protect your MEDICAL records, and
4. What we learn about HOW medical records are shared between companies.
We already have Security Freezes on our 3 major credit reports from prior data breaches. If you don't know what a Security Freeze is, there are plenty of resources in this blog. You can start reading here:
http://ivebeenmugged.typepad.com/my_weblog/2008/04/security-freeze.html
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Wednesday, July 29, 2015 at 11:43 AM
Thank you! I got such a letter too and I am searching for the same answers. I am very interested in finding out what others are going to do with Experian's ProtectMyID: what shall we be aware of and what to check.
Thank you!
Posted by: Irma | Wednesday, July 29, 2015 at 12:46 PM
I would like to file a HIPPA complaint. What shall I state there? Any advice how to make it more effective?
Posted by: Irma | Wednesday, July 29, 2015 at 12:50 PM
I got my July 17 notice yesterday also. I tried calling the hotline and explained to them that I've never done business with Concentra, and they basically said they can't give much info about how MIE obtained the medical records. The person I spoke to tried to downplay the breach by saying this letter and the offer for ProtectMyID was precautionary.
I have a feeling that this breach is probably larger than they make it seem, and yes there is probably much more to the story than what we're being told.
Posted by: Pat | Wednesday, July 29, 2015 at 01:19 PM
I have just contacted this line two. I requested the list of the companies who used the services of Concentra. Plus I requested any information that will help me to find their report with the officials (FBI) - number of the report, date, etc. They said they will "escalate" these questions to the supervisor, who is supposed to call me back I think within 48 hours. It was really difficult to talk to them as there was really heavy noise in the background and the person did not want to be very articulate as well.
Posted by: Irma | Wednesday, July 29, 2015 at 02:13 PM
For people MIE claimed Concentra was the source of your data:
Like you, my wife and i are very concerned. Stay tuned. I hope to have more about this soon.
Irma:
Thanks for sharing your comments and for investigating with MIE. Please share whatever you learn. As I mentioned in my blog post, MIE subcontracted the hotline operation to another company, so what they tell us is very limited. Keep pushing for answers! I will do the same.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Wednesday, July 29, 2015 at 03:08 PM
George:
I live in Fort Wayne, Indiana, where MIE is headquartered. I have sent emails to the author of the breach letter (Eric Jones) and asked for specific information about my health care information. No response thus far, which is no surprise. I did contact the local newspaper, The Journal Gazette and they did interview me and then sent a photographer to my home. The story will appear in the Sunday, August 2nd issue of the Journal Gazette. The reporter from the Journal Gazette was trying to get a comment from Eric Jones. Am very interested in any commentary from Eric Jones. I agree with your interpretation--MIE is more interested in avoiding liability than communicating with those affected.
After 3 attempts I did reach the MIE "hotline". However, the representative was not able to answer my questions. She did offer to escalate the call to a supervisor, but I will not receive a call back for approximately 48 hours.
I did attempt to register with Experian, but could not. I called the help line but the hold time was so lengthy I was not even placed on hold. The recording suggested that I try back later because call-volume was so high. So, I still do not have answers about my compromised health care information.
-Lee
Posted by: Lee Rottinghaus | Wednesday, July 29, 2015 at 03:15 PM
Thank you for providing direction and edification. I attempted to enroll as per directions in letter I rec'd, but to no avail. Now I don't even know if I want to bother...Looks like I'm going to have to go through the joy of calling for info (as to why MIE has my info)---good luck to all of us, right?!! Thank you again for your insights and information, G.
Posted by: Dana | Wednesday, July 29, 2015 at 03:30 PM
Lee and Dana:
Thanks for sharing your comments with your experiences. It is sad and troubling to hear that you were unable to register for the Experian service. I look forward to reading the Sunday, August 2 article in the Journal Gazette.
My informal list of states with consumers affected by the MIE breach: California, Colorado, Idaho, Indiana, Maryland, Massachusetts, New Hampshire, Texas, and the District of Columbia. Maybe we'll hear more comments from people in these or other states.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Wednesday, July 29, 2015 at 05:03 PM
Got the letter from MIE today and my spouse did too. No, we have done no business with any of the listed providers nor with Concentra. Called the "hot line" and spoke with Bonnie. Bonnie got the job two days ago and had no useful information. I asked to be notified about who had contracted with MIE to host my personal health information (PHI) and perhaps Bonnie's supervisor will call me back. Yeah, right.
Looked up MIE on the Indiana Secretary of State website. Eric Jones is listed as Secretary. MIE stands for Medical Informatics Engineering. The practice of Engineering is regulated in Indiana and you must be a Professional Engineer (PE) to practice. Interestingly enough there is an "Eric Steven Jones" licensed as an engineering intern in Indiana. An engineering intern may only practice under the supervision of a PE. And Indiana has a pretty strict definition of "offering the services of engineering" with an exemption for "manufactured products". Does hosting of a website/database containing PHI qualify as a manufactured product or is it a service? We will find out because I filed a complaint with the Indiana Attorney General's office that 1. MIE was practicing without a license and 2. Eric Steven Jones was practicing without a PE license when he only has a IET license.
Full disclosure - I am a PE
The purpose of licensure is to protect the health and safety of the public. Has the health or safety of the public been adversely affected by this breach of data by MIE?
Posted by: Philip Duclos | Wednesday, July 29, 2015 at 05:28 PM
This is my second breach this year and once again they offer limited amount of protection.
As you stated why only 1 credit agency and not all. However, my biggest qualms is that some of the data breached will never change, so what good does 2 year do when my SSN/Birthday never change in my lifetime.
Companies that deal with identity information need to be able to protect that data or not work in that kind of environment. I know the HIIPAA rules from the government and am also involved in IT. Therefore, I personally knows what involved with this security but am also aware of the risks.
Companies need to be able to protect my data, and have a budget for it in case this happens.
How can we a bill in place to get this done?
Or how can I get a class action lawsuit going for lifetime protection?
Posted by: Ivan | Wednesday, July 29, 2015 at 05:33 PM
I also received a letter dated July 17,2015. This letter lists the name of the provider I have used in Arkansas who uses NoMoreClipboard. The list of affected data includes address, phone, email, username, password, birth date, and security question. I found this site while researching whether it was a scam and whether I should pursue the offer of Experian's ProtectMyID Elite.
My provider does have a note on their home page alerting one to the cyber attack. I am quite sure that I have provided more information on that site than is listed above including insurance and health records, although, of course, I know as little as everyone else on what happened and how much was included in this attack.
A question-does the information you write down on the clipboard at the doctor go into the same system? Does it make any difference whether I write it down or use my computer if it's all going into the same retrieval system?
Posted by: Renee | Wednesday, July 29, 2015 at 08:59 PM
It's a mess, that's for sure! This is my 2nd breach as well--Home Depot the other. I haven't been to a doctor in years (Nevada), let alone any on that wonderfully inclusive list (thanks so very much) of medical places in IN, MI, et al. I doubt I'm going to sign on to Experian cuz what good does "monitoring" do really...I mean, if they were about circumventing possible issues, ok. I like that class action lawsuit idea, but it'd probably take a lifetime to get any kind of result. Gosh, I sound so negative and jaded and I'm not much that way in life; it's just that this security stuff is wearing, frustrating, and a bit nerve-wracking insofar as 'what next'. I'm all for hearing any advice you all have to offer because I'm not savvy with stuff like this at all!
Posted by: Dana | Wednesday, July 29, 2015 at 09:34 PM
Alabama can be added to the list of states.
Posted by: Colette | Wednesday, July 29, 2015 at 09:38 PM
My husband and I both received the letter - we are in TN - can't figure what our connection is to Concentra?? Trying to figure out if this Experian step is worth it.... Really tired of all these breaches....
Posted by: Elizabeth Baugh | Thursday, July 30, 2015 at 09:05 AM
I received the same letter. Called the hotline in the letter, waited almost an hour to be connected to a representative. The letter stated I could obtain the identity of the affected healthcare provider. The representative told me they had absolutely no information on the identity of the healthcare provider. I waited on hold for almost an hour to get absolutely NO information that the letter informed me I could obtain. Very frustrating.
Posted by: Frustrated in WY | Thursday, July 30, 2015 at 10:38 AM
A friend of mine in FL got the letter a couple of days ago and I got it yesterday in AZ. My thought is this feels scammy, like some way to generate business for Experian. After two years, will the Experian coverage just stop, or will they just start billing me and I would have to contact them to get rid of it? I plan to toss this letter and just watch my finances on my own with the protections I already have in place.
Posted by: Bart Kolodziejczak | Thursday, July 30, 2015 at 01:09 PM
I contacted my local Concentra which I had visited a few years back, their administrator confirmed that they received a data breach email from MIE and gave me her contact # for them. I spoke to a representative today and he assured me for my name, birthdate, phone and address were leaked (but not my social security number). I'm keeping the letter in case anyone tries to steal my identity down the road, but the reviews for Experian ProtectMyID are not good. I'll keep checking my insurance claims now like I check my credit cards and banking activity. This is such a huge inconvenience. Makes me want to pay cash for everything and skip any service that requires relinquishing personal information. Pain in the ...
Posted by: Jennifer | Thursday, July 30, 2015 at 02:08 PM
Everyone:
For those who want to learn more about HIPAA, what information is protected, and your rights, I found this page a good place to start reading:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
And, you may find this helpful:
http://healthcare.findlaw.com/patient-rights/what-can-i-do-after-an-improper-disclosure-of-medical-records.html/
It seems that the information compromised in the MIE breach varies by person. Some people had more info exposed than others. So, any HIPAA complaint you submit will vary given your situation. See the breach notice you received from MIE and use the data elements listed in it with your complaint submission.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Friday, July 31, 2015 at 01:33 AM
Update - just found out that we got the letter because my husband is an employee of HP and it was through their benefits dept using Concentra.
Posted by: Stacey | Friday, July 31, 2015 at 07:20 PM
Stacey:
Thanks for sharing. Your situation is different from my wife's because you have a clear, valid connection to Concentra via health care services through your husband's employer. My wife and I do not have such a connection to Concentra. We are trying to find out how Concentra got her information.
What makes the whole thing tricky is that the amount of information compromised by the MIE breach seems to vary by person. You may (or may not) have had a lot more information compromised than my wife. Your breach notice from MIE should list the data elements compromised, and if the elements apply to one or more persons (e.g., your husband, you, children). I do not know your particulars, nor if MIE offered to you the same Experian credit monitoring services that it offered to my wife.
If you can share more, that would be great. I am curious to hear, but don't break any confidentiality. And, I think that other breach victims are curious, too.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Friday, July 31, 2015 at 07:50 PM
Sure - As for what was breached, my letter says SSN, Address, DOB; my husband's letter says SSN, Address, DOB, & Email address.
Yes, they offered us the same protection service thru Experian that others have mentioned above.
The Email from HR explained "HP provided eligibility data to Concentra so that employees and spouses would be able to participate in the screening process and earn wellness incentive credits. The data was used by Concentra solely for member identification purposes." I do not believe they are using Concentra any longer. They recommend you sign up for the credit monitoring, and finish with "For more information regarding the specifics of the security breach and the services MIE has put in place, please visit https://www.mieweb.com/notice/ or call 1-866-328-1987."
Posted by: Stacey | Saturday, August 01, 2015 at 09:37 AM
This thing that this latest data breach brings home for me and, I think, for us all is just how valuable our personal information is and how, even our Protected Health Information (PHI), is collected, traded, and otherwise used for others' profits without any meaningful consent from each of us. Indeed, users' personal information is the modern Internet's currency, which is the source nearly every Internet firms' revenues and profits, but especially of those who offer services and goods to us without charging a price in money for those goods and services. There is an old saying from earlier days of the Internet that captures this well: "If you're not paying for something, you're not the customer; you're the product being sold."
So we have all been reduced to being mere chattels. And we are so reduced because our personal information, the information that we author by and through our actions, belongs to everyone except us. And since we are our information and the acts that create it, it follows that, our information not being ours but belonging to others, we, a fortiori, are just others' property. And being nothing more than property, our rights, the right to privacy, our dignity, etc., must be subordinate and subservient to the true owners', Google, Facebook, MIE, and their ilk's, rights and interests.
So get use to being sold on the Internet and its modalities, and get use to nefarious people breaking into your owners' computers to steal you, i.e., your personal information, so that they can sell or otherwise exploit you through fraud, extortion, or by some other nefarious means.
How did this happen? And when did we cease to own the personal information that is such an essential part of who we are and become another's property, having only those limited rights and remedies that government deigns to grant us, rather than stronger, fuller, and complete constitutional rights as the owners of our personal information?
Posted by: Chanson de Roland | Saturday, August 01, 2015 at 05:00 PM
I am in Kentucky and also received the 17 July security breach letter offering 2 years free credit monitoring by Experian's ProtectMyID Elite. This letter states information that was compromised but does not state in any way what facility or any association that it may have come from. Today is Saturday; so I will have to call on Monday for more info. Good luck everyone.
Posted by: Misty | Saturday, August 01, 2015 at 09:05 PM
We received the same letter from MIE and our problem is that we both have the same 1st name and were confused as to who the letter is to since it only has 1st and last name on it and no other identifying items. But I did work for HP/Compaq for 19 years, and quit 2 years ago this past July. So if the letter is to me I guess it doesn't matter if HP still uses Concentra or not since they still have our info on file. Personally I believe not being able to use your SSN for anything besides your job reporting your earned income to IRS and SSA would go a long way in helping prevent use of your info obtained in data breaches.
Posted by: Tracy | Sunday, August 02, 2015 at 12:41 AM
My mother received the same letter..Wichita, KS and my first look at the letter it appears to be a scam. The letter gives a scare tactic then wants to offer "free" two year protection by signing up with ProtectMyID...who knows this Eric Jones may be gettng a bonus everytime someone signs up. Remember nothing is free. I will continue to reserch.
Thanks...really appreciate everyone's feedback.
Posted by: J Whiley | Sunday, August 02, 2015 at 10:22 AM
Everyone:
You may find the information in Monday's blog post helpful:
Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian
http://ivebeenmugged.typepad.com/my_weblog/2015/08/lawsuits-mie-experian.html
As I learn more, I will share it in blog posts.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Monday, August 03, 2015 at 09:48 AM
I received the letter maybe a week or so ago -- it's been sitting in a pile of mail that I just got around to opening this morning. I live in TN and have never dealt with anyone at Concentra -- I've never received a bill from a Concentra, used an urgent care under that name, been drug tested by one of their facilities, etc. You made mention above in your post about speaking to someone at "Epic" and I do know that Epic is now the online medical records provider that one of our large local hospitals has gone to so I'm wondering if this is the connection for me. Supposedly just my address, phone and birth date was leaked. No wonder I can't get the hell off any do not call lists. What a joke of a country we live in. I don't think the ProtectMyID is a scam -- it's just one more lame attempt at covering someone's you know what.
Posted by: Kim | Monday, August 03, 2015 at 10:33 AM
George,
I live in Ohio; add that to the list of states affected. I and several family members received the MIE letters. I receive medical services in Fort Wayne, IN, home of MIE. Several of my docs and health care providers are on the breach list. Also, FW is home to the Journal-Gazette newspaper; article previously mentioned. I suspect that some of my family members' info was compromised, because I had added them to MY emergency contact lists. If I had not added them, then they would not be able to obtain ANY info about my medical condiditon.
I am outraged at MIE. It is my understanding that it is not all that difficult to have security measures in place on computer systems right from the get-go. After reviewing MIE's own web site, I see that they wholeheartedly brag about their credentials what a wonderful business they have built. No where did they mention that their customer's information security was a priority, or how they were managing that.
Although those who actually steal from others (i.e., identity theives) should be punished, I also believe that the MIE execs should be held accountable. The MIE letter states, "We take the security...very seriously...and apologize for the inconvenience." Are you kidding me? How is "taking seriously" and "apologizing" helping me and the 5 million others?!? Note that only 1.5 million are Hoosiers; the other nearly 4 million are from other states. If MIE is truly sorry, they will make lifetime restitution to those of us whose personal information has been compromised AND cover the lifetime expenses of those whose identities are actually stolen. I believe that each and every individual who received the MIE letter should, minimally, have a LIFETIME of the BEST IDENTITY THEFT PROTECTION paid for in full by MIE. None of this 2-year nonsense. Theives can be quite patient. Two years isn't all that long. And call me skeptical--but, I've dealt with trying to stop credit card payments before--they will keep withdrawing the money from your account; it is extremely difficult to stop after the "free trial" period.
Although, according to the Journal Gazette, a lawyer from Indianapolis is currently filing a 5 million dollar suit against MIE, how will that help Hoosiers and how will it help the non-Hoosiers? I would like to hear from the lawyer for his take on all of this. I will continue to follow others' reactions to this issue. Thanks.
Posted by: Bobbie | Monday, August 03, 2015 at 12:23 PM
Misty, Tracey, and J Whiley: thanks for sharing!
Irma: about your question of what to put in a HIPAA complaint, I have not forgotten you. I am still researching answers. More to come. Please hang in there.
Kim: just like you, my wife and I never used Concentra urgent care services. That's why I contacted them to learn from Concentra exactly how they acquired my wife's info. Hopefully, I will get some answers soon. Will share what I learn.
Bobbie: I understand how you feel. We feel much the same way. If you read HIPAA laws, they seem tilted towards employers sharing information with health care providers. The general lack of notice and consent are troublesome.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Monday, August 03, 2015 at 12:40 PM
Hello,
This is a good article to read about the different providers associated with the breach:
http://www.net-security.org/secworld.php?id=18700
and
http://www.mieweb.com/notice/
and
http://www.mieweb.com/notice/faqs
Plus, I had issues with Experian Protect My ID as well but switched to a computer. The signon should be the email you used in step#1. I only found this out by switching to signing on by computer and it auto populated that field for me.
Hope this helps some :)
From what I can tell the information stolen can be dated back to 1997.
Posted by: Jessica | Monday, August 03, 2015 at 01:51 PM
Hello, My parents received the same letter. I let them know to check their credit cards and checking accounts and then keep an eye out and keep the letter. I was going to have them sign up for the experian but from what is listed above no one is doing it. Any advice suggestions? I feel terrible and hope this doesn't affect anyone and my parents for that matter.
Posted by: Daniella | Monday, August 03, 2015 at 04:33 PM
My wife works at HP but we have never used HP's health benefits. Now my information is compromised !!! Why would they share our data with Concentra who apparently shared it with MIE when we don't even use these benefits. . And why is there never any liability for these Breaches? This will continue to happen until there are severe financial consequences for all the companies that are careless.
Posted by: R e | Monday, August 03, 2015 at 10:48 PM
Add Georgia to the list. I live here for over 28 years. I also worked at DEC/Compaq/HP since 1976. HIPAA sounds great in concept and on paper, but seldom (if ever) are enforcement actions taken with real teeth. A universal class action suit with federal investigation (FBI) should be aggressively pursued. There's just too many cracks/gaps in current revelations. Still waiting for a clear consensus on joining the Experian monitoring service. There doesn't appear to be a monitoring service for health (non-credit) clearinghouse.
Mike P
Posted by: Mike P | Tuesday, August 04, 2015 at 09:37 AM
So, here is the question should you do the Experian free trial for 2 years, You have until October to sign up? Thoughts anyone?
Posted by: Daniella | Tuesday, August 04, 2015 at 12:55 PM
B. here from Texas. Got the letter myself last week. What is really strange about the whole affair is that at least 90% of my coworkers also received the letter from MIE (not No More Clipboard). I work at a nuclear power plant. We have direct employees and contract employees here on site. Each contractor has their own health plans run completely independent of ours, yet many of the contracted employees also received these notices. There is one thing that we all have in common - continuous random drug testing & initial hire drug screening. I wonder if the laboratory we use (Quest Diagnostics) was a silent partner of this data breach? I am suspicious of that one common tie since if it was a breach through our corporate insurance policies, wouldn't my wife also have received a notice? The few cases where a spouse or dependent also received a notice the only common tie was through routine testing for an existing medical condition - and they used Quest Diagnostics. I have never used a Concentra urgent care clinic, nor have I ever submitted data to them for any type of medical benefit screenings either.
Like others, I called the information hot line and got very little useful information. I did sign up for the credit monitoring. It was uneventful and actually went pretty smoothly. I used a desktop from my home to sign up, after verifying that I had a secure connection. Of course that could have been spoofed to, I know.
Like others have posted, I too think that there is a lot of information that is being withheld at this time - for what reason I have no idea. Could it be that the very low-key dissemination of the magnitude of this breach was designed to not cast doubts upon the EHR mandate of the Affordable Care Act?
Posted by: Brad Hancock | Tuesday, August 04, 2015 at 01:13 PM
Brad:
Sorry to hear you were affected. You raise a good question. This document (Adobe PDF format) suggests a business relationship between Medical Informatics Engineering (MIE) and Quest Diagnostics:
https://www.questdiagnostics.com/dms/Documents/hit_quality_solutions/commercial_connectivity_solutions_dec2014-1-/commercial_connectivity_solutions_dec2014%5B1%5D.pdf
Scroll down to page 11. As you can see in the link, this document resides at the Quest Diagnostics site. I found it in 5 minutes with a Google.com search. So, you might call Quest Diagnostic's customer service department and demand some explanations about: a) their business relationship(s) with MIE; b) what data they share with MIE; c) and that you don't consent to the data sharing, since MIE has shown it can't protect it. You might also call MIE and ask them why Quest Diagnostics was not listed in their announced list of affected vendors.
This suggests that the breach is broader than we all thought.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Tuesday, August 04, 2015 at 02:56 PM
Jessica: thanks for providing the link to the Help Net Security article. The article mentioned 5.5 million affected consumers, which seems too high. Why? The U.S. Department of Health & Human Services listed today 3.9 million consumers affected by the breach.
Mike P, Daniella, Bobbie, and R e: thanks for sharing your experiences. As Bobbie wrote, 2 years isn't that long. I agree that thieves are craft, persistent, and patient. Whatever you decide to do, you'll have to take precautions for longer than 2 years. My wife and I have credit freezes on our credit reports. That prevents financial fraud, but not medical fraud.
Everyone: I hope to have more information in another blog post soon.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Tuesday, August 04, 2015 at 03:05 PM
Texas residents also affected. Rec'd letter that my SSAN,name, etc. were stolen. Be aware that if you sign up for the free two years of protection, you are agreeing that you cannot participate in any class action suit, even after cancellation of policy. Individual arbitration only option. Also, the agreement applies to many entities that are not named (referred to as subsidiaries, parent entities, affiliates, etc...)
Many facilities download PHI from regional and national databases (HIEs) or hospital systems. That might explain why so many don't know how their information was acquired. HIEs are not a good thing - too fraught with danger for the consumer until better security and breach impact responsiblity laws are in place.
Thanks for the information. Look forward to follow up.
Posted by: Pam | Monday, August 10, 2015 at 04:36 PM
I am in Ohio and I received one of the July 17th letters too, as did a friend of mine. We cannot figure out what medical provider we have in common that may have used a product or service of MIE and, like others on here,"Concentra" is referenced but is a company with which I am not familiar. It hardly seems right that victims should have to give up anything in order to receive the monitoring/credit protection that MIE itself must think we need due the data breach at their company. If MIE is going to provide supposed protection to victims, that protection should not be conditioned on the victims accepting the protection giving up their right to file a lawsuit (class action or otherwise) against MIE for any damages they may suffer. Something about that approach by MIE just leaves a bad taste in my mouth.
Posted by: Marnie C. Lambert | Tuesday, August 11, 2015 at 04:52 PM
Pam and Marni:
Thanks for sharing your comments and experiences. I agree, it is frustrating. Companies seem to easily buy and sell consumers' medical information without consumers' consent. Since consumers can lock down our credit reports, it seems logical that consumers should be also be able to lock down their medical records. The latter is something we all should demand of our elected officials.
About the binding arbitration clause in the credit monitoring agreement, I checked the Terms and Conditions page for ProtectMyID (http://www.protectmyid.com/terms/ ). It read:
"This ProtectMyID product ("ProtectMyID") Membership Agreement ("Agreement") is between you and ConsumerInfo.com, Inc. ("CIC" "us" "our" or "we") and explains the terms and conditions under which you may use the ProtectMyID.com ("Website") and the ProtectMyID product, including without limitation, any paid product upgrade features, where applicable, such as ChildSecure and RestoreMyID ("Product")... WE EACH AGREE TO RESOLVE THOSE DISPUTES THROUGH BINDING ARBITRATION OR SMALL CLAIMS COURT INSTEAD OF IN COURTS OF GENERAL JURISDICTION TO THE FULLEST EXTENT PERMITTED BY LAW. ARBITRATION IS MORE INFORMAL THAN A LAWSUIT IN COURT. ARBITRATION USES A NEUTRAL ARBITRATOR INSTEAD OF A JUDGE OR JURY, ALLOWS FOR MORE LIMITED DISCOVERY THAN IN COURT, AND IS SUBJECT TO VERY LIMITED REVIEW BY COURTS. ARBITRATORS CAN AWARD THE SAME DAMAGES AND RELIEF THAT A COURT CAN AWARD. ANY ARBITRATION UNDER THIS AGREEMENT WILL TAKE PLACE ON AN INDIVIDUAL BASIS; CLASS ARBITRATIONS AND CLASS ACTIONS ARE NOT PERMITTED. CIC WILL PAY ALL COSTS OF ARBITRATION, NO MATTER WHO WINS, SO LONG AS YOUR CLAIM IS NOT FRIVOLOUS. HOWEVER, IN ARBITRATION, BOTH YOU AND CIC WILL BE ENTITLED TO RECOVER ATTORNEYS’ FEES FROM THE OTHER PARTY TO THE SAME EXTENT AS YOU WOULD BE IN COURT... For purposes of this arbitration provision, references to "CIC," "you," and "us" shall include our respective parent entities, subsidiaries, affiliates, agents, employees, predecessors in interest, successors and assigns, websites of the foregoing, as well as all authorized or unauthorized users or beneficiaries of services, products or information under this or prior Agreements between us. Notwithstanding the foregoing, either party may bring an individual action in small claims court..."
It seems that binding arbitration is between CIC and the ProtectMyID user, and does not include MIE. You are correct to be concerned as nobody wants to give up their legal rights against MIE. What gives you the impression that binding arbitration includes MIE?
Last, binding arbitration clauses are usually not consumer friendly. I explored the reasons why in this blog post:
10 Tips About How To Read Terms Of Use And Privacy Policies
http://ivebeenmugged.typepad.com/my_weblog/2015/06/how-to-read-policies.html
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Wednesday, August 12, 2015 at 08:06 AM
Thank you for that clarification George! It certainly does not sound like there are any "strings attached" to the free 2 year protection being offered by MIE so that is a big relief! I am not surprised that there is a class action waiver or mandatory arbitration clause in an agreement with a credit monitoring company. I am so frustrated with how many security breaches of private health and financial information there are these days! It makes you wonder if the healthcare industry and the financial industry are really spending the time and money they are supposed to be on keeping our sensitive personal information confidential. From what I have read, the cost of cybercrimes to Americans is staggering. Thanks for shining a light on these important issues!
Posted by: Marnie C. Lambert | Wednesday, August 12, 2015 at 11:02 AM
Thank you for posting this George. My story is exactly the same as yours including the date on the letter, the claim that a company I've never heard of, Concentra, was the source. I have no idea exactly what data of mine was compromised or where that data came from. I'm dismayed to learn that companies have my personal data in their systems yet I have no idea how or why it got there... did I give permission for them to have it (buried somewhere in 50 page long terms of use)? I awoke this morning to an email alert from ProtectMyID and was extremely panicked until I finally determined (after waiting on hold with Experian for over an hour listening to horrible anxiety producing music) that it was a legitimate credit update. As the weeks and months go by the chances of our sensitive data being used for nefarious purposes increases. I believe we should have protection from ALL the credit monitoring companies, not just one. It should also extend out at least 5 years. We many be able to change our passwords and email addresses, but our names, SSN, birth dates don't change after the 2 year monitoring expires...
Posted by: Sandra | Thursday, August 13, 2015 at 01:58 PM
Sandra:
Thanks for sharing. I agree. It is frustrating. Infuriating, too. 2 years is not long enough. Not even close. The risk will be there for a long time.
I have had several conversations with Concentra about when, where, and how they acquired my wife's information. And, all of this assumes MIE's records are accurate. As I learn more, I will share it. Stay tuned.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Thursday, August 13, 2015 at 02:29 PM
Thanks to everyone for the information on this site. I live in the state of Washington. I received the July 17 letter a couple of weeks ago and have been wondering about it's legitimacy. My letter only mentions NoMoreClipboard but contains no reference to MIE or Concentra. The letter states that the compromised data includes: Address, Email, UserName, Password, and Security Question. In order to activate the Experian ProtectMyID service I would need to enter additional information including my SSN. Somehow, providing more sensitive data to potentially limit the effects of a theft of less sensitive data doesn't seem like a prudent thing to do. For now I am going to pass on the Experian offer, but I will continue monitoring this site for new developments.
Posted by: Steve Schack | Thursday, August 13, 2015 at 02:38 PM
I just signed up on the protectmyid, and realized it might be a scam. What i can do to protect my id security now? Thanks in advance
Posted by: Lee | Sunday, August 16, 2015 at 11:13 PM
Lee:
Experian is a real company. And, it's ProtectMyID is a real service. So, I don't know what you mean when you use the word "scam." A lot of people use that word without knowing its legal meaning.
It sounds like you might be worried that you may not get the value you hoped. If you are truly concerned, then maybe get a consultation with a privacy attorney to help you review the ProtectMyID agreement. Or, maybe get an attorney to help you decide if the class action against MIE is for you. I do not know your situation.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Monday, August 17, 2015 at 12:07 AM
Hello George,
I have been out of town and just opened my July 17 letter from MIE. The client they mention is RediMed. I have never heard of it before. I looked up RediMed, but did not recognize any of the providers they listed. Do I follow the same procedure and sign up with Experian. Should I contact my Credit Union? Thank you, Cindy
Posted by: Cindy Cole | Friday, August 21, 2015 at 06:16 PM
Cindy:
Thanks for sharing your experience. MIE did list RediMed on its above list of clients. You might contact RediMed and ask them to explain exactly when, how, and why they acquired your information, since the RediMed name is unfamiliar to you. I'd be interested in hearing RediMed's explanation, if they give one.
I cannot give you advice about whether or not to sign up for the free Experian credit monitoring service MIE arranged, since I do not know your specific situation. Free is often good. Of course, you should protect yourself. You have several options to do so. Of course, you should closely read the terms and conditions with the free Experian credit monitoring MIE has arranged for its breach victims. You may or may not find those terms agreeable. If there are portions of those terms you don't understand, then maybe get a consultation with an attorney.
Or, you may decide to do-it-yourself and place a Security Freeze on your credit reports. There are several blog posts in this blog about Security Freezes. Or, you may decided to use a competitive branded credit monitoring service, and pay for it. And, of course you should always inspect your bank account (and credit card) statements for any fraudulent entries.
You may be interested in filing a HIPAA complaint. Or. maybe you are interested in joining one of the class action lawsuits. There are several:
Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian
http://ivebeenmugged.typepad.com/my_weblog/2015/08/lawsuits-mie-experian.html
Good luck, and let us know what you decide.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Monday, August 24, 2015 at 10:43 AM
Readers:
My wife and I got some answers to our questions about how Concentra obtained her information. See this update:
FYI: Medical Informatics Engineering, Concentra, Employers, Data Sharing, & Privacy
http://ivebeenmugged.typepad.com/my_weblog/2015/09/update-mie-breach.html
Feel free to share this with others.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Monday, September 14, 2015 at 11:13 AM
Obviously I don't check my mail frequently... just opened a similar notification. Add Michigan to your list.
I'm 25, and I have very little money and almost no knowledge about any of this mumbo jumbo. I certainly don't have a lawyer, and I could not afford one. I went to concentra ONCE a couple of years ago to make sure I didn't have strep.
From what I can tell, the general consensus is that Experian's offered service is not particularly helpful. I am not sure if I should even bother with it, and, given their reputation, I AM concerned that after the stated two years they will start charging me for services without proper notification.
Are we SOL? Stupid cyber-life!
Posted by: Sara | Monday, September 28, 2015 at 12:07 PM
Has anybody ever head back from HHS CRU after reporting a breach? I have filed two, not for this breach, but have never heard if they will even take my complaint.
Posted by: stacy | Friday, October 09, 2015 at 10:11 PM