FTC Alleged Lifelock Violated 2010 Settlement Agreement. Company Stock Price Plunged
FTC Report Recommended Best Practices For Companies Offering Products For The Internet of Things

Medical Informatics Engineering Breach Highlights Breach Notice, Privacy, And Cloud-Storage Issues

Medical Informatics Engineering logo In early June,  Medical Informatics Engineering (MIE) announced a data breach where unauthorized persons accessed its systems. The breach at MIE, an electronic health records vendor used by many health providers, exposed the sensitive Protected Health Information (PHI) of an undisclosed number of patients in several states. MIE began to notify during June its corporate clients. MIE began notifying affected patients on July 17.

The July 24, 2015 MIE press release about the breach

"FORT WAYNE, Ind.--(BUSINESS WIRE--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified."

No More Clipboard logo NoMoreClipboard.com (NMC) is a cloud-based service by MIE for storing patients' health records, and making the records easily accessible by a variety of devices: desktops, laptop,s tablets, and smart phones. The service is sold to doctors, hospitals, and related professionals.

According to its breach FAQ page, MIE's client list includes:

  • Concentra,
  • Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery),
  • Franciscan St. Francis Health Indianapolis,
  • Gynecology Center, Inc. Fort Wayne,
  • Rochester Medical Group,
  • RediMed,and Fort Wayne Radiology Association, LLC (including d/b/a Nuvena Vein Center and Dexa Diagnostics, Open View MRI, LLC, Breast Diagnostic Center, LLC, P.E.T. Imaging Services, LLC, MRI Center — Fort Wayne Radiology, Inc. f/k/a Advanced Imaging Systems, Inc.)

NoMoreClipboard.com's client list includes many clinics, hospitals, physicians, specialists, attorneys, schools, and more (links added):

NoMoreClipboard.com Clients Affected By Data Breach
Advanced Cardiac Care
Advanced Foot Specialists
All About Childrens Pediatric Partners, PC
Allen County Dept of Health
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center
Altagracia Medical Center
Anderson Family Medicine
Arkansas Otolaryngology, P.A.
Auburn Cardiology Associates
Basedow Family Clinic Inc.
Bastrop Medical Clinic
Batish Family Medicine
Beaver Medical
Boston Podiatry Services PC
Brian Griner M.D.
Brightstarts Pediatrics
Burnsville Medical Center
Capital Rehabilitation
Cardiovascular Consultants of Kansas
Carl Gustafson OD
Carolina Gastroenterology
Carolina Kidney & Hypertension Center
Carolinas Psychiatric Associates
Center for Advanced Spinal Surgery
Chang Neurosurgery & Spine Care
Cheyenne County Hospital
Children's Clinic of Owasso, P.C.
Clara A. Lennox MD
Claude E. Younes M.D., Inc.
Coalville Health Center
Cornerstone Medical and Wellness, LLC
Cumberland Heart
David A. Wassil, D.O.
David M Mayer MD
Dr. Alicia Guice
Dr. Anne Hughes
Dr. Buchele
Dr. Clark
Dr. Harvey
Dr. John Labban
Dr. John Suen
Dr. Puleo
Dr. Rajesh Rana
Dr. Rustagi
Dr. Schermerhorn
Dr. Shah
Ear, Nose & Throat Associates, P.C.
East Carolina Medical Associates
Eastern Washington Dermatology Associates
Ellinwood District Hospital
Family Care Chiropractic Center
Family Practice Associates of Macomb
Family Practice of Macomb
Floyd Trillis Jr., M.D.
Fredonia Regional Hospital
Fremont Family Medicine
Generations Primary Care
Grace Community Health Center, Inc.
Grisell Memorial Hospital
Harding Pediatrics LLP
Harlan County Health System
Health Access Program
Heart Institute of Venice
Henderson Minor Outpatient Medicine
Henry County Hospital myhealth portal
Highgate Clinic
Hobart Family Medical Clinic
Howard Stierwalt, M.D.
Howard University Hospital
Hudson Essex Nephrology
Huntington Medical Associates
Huntington Medical Group
Hutchinson Regional Medical Center
Idaho Sports Medicine Institute
In Step Foot & Ankle Specialists
Independence Rehabilitation Inc
Indiana Endocrine Specialists
Indiana Internal Medicine Consultants
Indiana Ohio Heart Indiana Surgical Specialists
Indiana University
Indiana University Health Center
Indianapolis Gastroenterology and Hepatology
Internal Medicine Associates
IU — Northwest
Jackson Neurolosurgery Clinic
James E. Hunt, MD
Jasmine K. Leong MD
Jewell County Hospital
John Hiestand, M.D.
Jonathan F. Diller, M.D.
Jubilee Community Health
Kardous Primary Care
Keith A. Harvey, M.D.
Kenneth Cesa DPM
Kings Clinic and Urgent Care
Kiowa County Memorial Hospital
Kristin Egan MD
Lakeshore Family Practice
Lane County Hospital
Logan County Hospital
Margaret Mary Health
Masonboro Urgent Care
McDonough Medical Group Psychiatry
Medical Care, Inc.
Medical Center of East Houston
Medicine Lodge Memorial Hospital
MHP Cardiology
Michael Mann, MD, PC
Michelle Barnes Marshall, P.C.
Michiana Gastroenterology, Inc.
Minneola District Hospital
Mora Surgical Clinic
Moundridge Mercy Hospital Inc
Nancy L. Carteron M.D.
Naples Heart Rhythm Specialists
Nate Delisi DO
Neighborhood Health Clinic
Neosho Memorial Regional Medical Center
Neuro Spine Pain Surgery Center
Norman G. McKoy, M.D. & Ass., P.A.
North Corridor Internal Medicine
Nova Pain Management
Novapex Franklin
Oakland Family Practice
Oakland Medical Group
Ohio Physical Medicine & Rehabilitation Inc.
On Track For Life
Ottawa County Health Center
Pareshchandra C. Patel MD
Parkview Health System, Inc. d/b/a Family Practice Associates of Huntington
Parkview Health System, Inc. d/b/a Fort Wayne Cardiology
Parrott Medical Clinic
Partners In Family Care
Personalized Health Care Of Tucson
Phillips County Hospital
Physical Medicine Consultants
Physicians of North Worchester County
Precision Weight Loss Center
Primary & Alternative Medical Center
Prince George's County Health Dept.
Rebecca J. Kurth M.D.
Relief Center Republic County Hospital
Ricardo S. Lemos MD
Richard A. Stone M.D.
Richard Ganz MD
River Primary Care
Rolando P. Oro MD, PA
Ronald Chochinov
Sabetha Community Hospital
Santa Cruz Pulmonary Medical Group
Santone Chiropractic
Sarasota Cardiovascular Group
Sarasota Center for Family Health Wellness
Sarasota Heart Center
Satanta District Hospital
Saul & Cutarelli MD's Inc.
Shaver Medical Clinic, P. A.
Skiatook Osteopathic Clinic Inc.
Sleep Centers of Fort Wayne
Smith County Hospital
Smith Family Chiropractic
Somers Eye Center
South Forsyth Family Medicine & Pediatrics
Southeast Rehabilitation Associates PC
Southgate Radiology
Southwest Internal Medicine & Pain Management
Southwest Orthopaedic Surgery Specialists, PLC
Stafford County Hospital
Stephen Helvie MD
Stephen T. Child MD
Susan A. Kubica MD
Texas Childrens Hospital
The Children's Health Place
The Heart & Vascular Specialists
The Heart and Vascular Center of Sarasota
The Imaging Center
The Johnson Center for Pelvic Health
The Medical Foundation, My Lab Results Portal
Thompson Family Chiropractic
Trego County Hospital
Union Square Dermatology
Volunteers in Medicine
Wells Chiropractic Clinic
Wichita County Health Center
William Klope MD
Wyoming Total Health Record Patient Portal
Yovanni Tineo M.D.
Zack Hall M.D.

The MIE press release included few details about exactly how hackers accessed its systems:

"On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data."

The breach highlights the need for greater transparency by both health care providers and the outsourcing vendors they hire. The breach also highlights the fact that medical records are stored and accessible via cloud-based services. Did you know that? I didn't before. And, this raises the question: is storage of PHI in the cloud the best and safest way?

The breach notices from MIE to consumers may create confusion, since patients don't do business directly with MIE and probably won't recognize its name. My wife received a breach notice on Friday and did not recognize MIE by name. I hadn't heard of MIE, either, so I did some online research. During June, MIE notified both the California Attorney General's office (Aobe PDF) and the New Hampshire Attorney General's office (Adobe PDF) of residents in each state affected by the data breach. MIE is represented by the law firm of Lewis, Brisbois, Bisgaard and Smith LLP (LBBS). LBBS has offices in 35 states and the District of Columbia.

MIE probably notified several other states, but many states, including the Massachusetts Attorney General's office, do not post online breach notices they receive. (They should, since it helps consumers verify breach notices.) HIPAA federal law requires certain entities to send breach notices to affected patients for breaches of unprotected data affecting more than 500 patients. At press time, a check of the Health & Human Services site did not find an MIE breach listing. When posted, it should reveal the total number of patients affected by the breach.

The breach notice my wife received was dated July 17, 2015. It repeated information already available online and offered few, new details. It began:

"My name is Eric Jones and I am co-founder and COO of Medical Informatics Engineering, a company that provides electronic medical record services to certain health care provider clients, including Concentra. On behalf of Medical Informatics Engineering, I am writing to notify you that a data security compromise occurred at medical Informatics Engineering that has affected the security of some of your personal  and protected health information. This letter contains details about the incident and our response..."

My wife didn't recognize either Concentra nor No More Clipboard by name. The notice she received listed the following patients' information as exposed or stolen:

"While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering's network has been affected. The affected information: SSN, Address, Phone, Birth Date"

This seemed vague. Which address: e-mail or residential street address? Which phone: mobile, land-line, or both? Were Social Security Numbers stored in open or encrypted format? And, if not encrypted, why not? The breach notice didn't say much.

Then, there is this: the breach letter my wife received included far fewer information elements than the July 24, 2015 press release:

"The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information."

This raised the question: which MIE document is correct? The breach notice, the press release, or neither? The notice seemed to raise more questions than it answered, so Monday morning we called the MIE hotline listed in its breach notice. After waiting 50 minutes on hold, a representative finally answered. The phone representative identified herself and her employer, Epic Systems based in Oregon. So, MIE outsourced the hotline support portion of its post-breach response.

I asked the representative to explain exactly how MIE acquired my wife's medical records. She looked up my wife's record in their system and replied that MIE had acquired it through business with Concentra. This was puzzling since neither my wife nor I have done business with Concentra. So, I was on the phone with one subcontractor who was pointing the finger at another subcontractor. Lovely. And, nobody on the phone actually from MIE. Disappointing.

Next, I called the nearest Concentra office, which is 17 miles away in Wilmington, Massachusetts. (We live in Boston.) The person in the billing department was helpful. (She admitted that she, too, had received a breach notice from MIE.) The representative attempted to find my wife's information in Concentra's systems. As my wife and I thought: no record. We have not done any business with Concentra. Confirmed.

The Wilmington-office representative's first answer was to give me the MIE breach hotline number. I explained that I had already called the MIE hotline. Then, the representative provided a regional contact in Concentra's human resources department. I have called Tyree Wallace twice, but so far no response. Not good.

What to make of this situation? One vendor's system has errors, but I can't yet tell which: MIE or Concentra. Maybe that's a result of the hack. May be not. The whole situation reminds me of the robo-signing and residential mortgage-back securities scandals by banks, where shortcuts were taken without proper documentation and items repackaged, sold, and resold without disclosures -- nobody knew exactly what was what. An epic mess. Could a similar epic mess happened with electronic medical records? I hope not.

I reviewed the breach notice again, bu this time focused upon MIE's offer of two years of free credit monitoring services with the Experian ProtectMyID Elite service. The ProtectMyID website lists the following features:

"Credit Monitoring: You may review your credit card statements every month for purchases you didn't make. But, every day, we check your credit report for other types of fraud that are much more dangerous. We watch for 50 leading indicators of identity theft. Each one, from a new loan to medical collections, poses a unique threat to your identity that we'll help you address."

"Internet Scan: ProtectMyID continually monitors a vast number of online sources where compromised credit and debit card numbers, Social Security numbers and other personal data is found, traded or sold, helping reduce your potential exposure to identity theft."

"National Change of Address Monitoring: Your bills and monthly statements can feed criminals important account and personal information. An identity thief may steal a single piece of your mail or all of it with a fraudulent change of address request at the post office. Every day, we look for the red flags. We monitor address changes at the national and credit report levels and help you resolve any issues."

Is this a good deal? Each affected patient can decide for their self, since you know your needs best. Plus, patients' needs vary. The Internet scan and address monitoring features sound nice, but only you can determine if you need those protections. While two years of free credit monitoring is better than one year, I couldn't find an explicit statement in the site where ProtectMyID monitors credit reports at all three credit reporting agencies (e.g., Experian, Equifax, TransUnion), or only one. Monitoring only one doesn't seem like effective coverage. In 8+ years of blogging, I've learned that criminals are smart and persistent. Monitor only one branded credit report (e.g., Experians), and criminals will approach lenders who use other branded credit reports, in order to take out fraudulent loans.

So, what to make of this breach? I see several issues:

  1. Transparency matters: the MIE breach and its post-breach response highlight the importance of transparency. Health care providers and outsourced vendors should make it easy for patients to determine who has their electronic health records and why. Breach notices should clearly state both the EHR vendor's name and the health care provider each patient specifically used. Don't use vague, confusing language MIE used. (See above.) Be specific and clear in breach notices. Something like this would be better: "We acquired your electronic health records during [year] from Concentra. It was acquired for [insert reasons]."
  2. Update online policies: health care provider's websites should identify the EHR vendors by name in their policies (e.g., terms of use, privacy). EHR vendor sites should identify their clients. Why? When breaches happen, patients need to quickly and easily verify the vendor's breach notice received. When policies don't mention vendors by name, verification is harder.
  3. Effective credit monitoring: ideally, provide a free service that monitors credit reports at all three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion), not one.
  4. Cloud-based EHR services: is this the best, safest way to store PHI? Cloud storage offers speed, flexibility, and storage benefits. But what about security? Can PHI be effectively secured and protected in the cloud? If you want to learn more, read this 2013 report by the Center for Democracy & technology about HIPAA compliance and cloud storage (Adobe PDF). The MIE breach highlights the risk. Time will tell if experts were correct. Time will tell if cloud-storage vendors can adequately protect electronic health records (EHR).

In my opinion: an epic fail is brewing. It seems that MIE has done, so far, the minimum with its post breach response. The efforts seem focused upon avoiding liability instead of helping affected patients. So far, MIE has failed to provide a satisfactory answer about when, how, and why it acquired my wife's electronic medical records. I look forward to more disclosures by MIE about exactly how hackers breached its system, and what it will do so this doesn't happen again.

During the next day or so, my wife and I will file a HIPAA complaint. I encourage other patients in similar situations to file complaints, too.

Did you receive a breach notice from MIE? What are your opinions of the MIE data breach and the company's response? Of the free ProtectMyID credit monitoring arranged by MIE? If you have used Concentra, what are your opinions of it?


Feed You can follow this conversation by subscribing to the comment feed for this post.


Found you on twitter while searching @MIEHR. Thank you for taking the time to post this information. It's more than you can get from MIE. I, like a lot of others, got my notice this morning about the breach and MIE's lack of security and wondered why this was the first time I'm hearing about this. I'm sure the providers have known for months. It's nice how the letter tells me all the things I should do to address their mistake but MIE doesn't once apologize for their failure to protect my information. I'll keep up with your blog and appreciate your efforts.



Thanks for the comment. Glad that you found the blog post helpful and informative. When I learn more, I will post on this blog. So far, no replies from MIE via Twitter.



My husband and I each got a letter. We also live in Mass. I started to research tonight to see if this is a scam. Sounds legit I guess, but I'd like to know how they got our medical info too. My husband has had very little need for medical attention for years, so not many institutions have has info - aside from pharmacies. Very confusing. Thanks!


My wife and I got our July 17, 2015 dated notices today. Same text. And we are in Denver and have been here for 20+ years. Recognize none of the above clients and have never been with Concentra. Really makes me wonder why and how they have our info. Also thought scam initially, but as noted above sounds legit scanning mie and other sites.

Growing tired of these. Got caught up in the Home Depot breach and that protection is still in place for a bit more, but not confident that service will catch anything anyway. Froze credit accounts years ago

Agree with above issues but nothing will never happen. Too much data and too little security as these companies are clueless on security. Give me a Linux system and I'll lock it down for you. Forget Windows and the Cloud. Cloud system security is far behind the technology. Multiple VMs on one server rented for business use. Just rent VM time and hack away....




I, too, rec'd letter, but don't know why they have my info. I visited dentist about a year ago and had eyes checked in June 2015. What is MIE doing with my name, etc. I'm confused and concerned. Also, I followed instructions provided in letter, but was unable to enroll ProtectMyID...Help?



Thanks for sharing your comments. You are not alone. This morning, I spoke with Concentra's regional human resources manager, Mrs. Wallace. She was very helpful. As I learn more, I will post it on this blog. There much more to this story.



so, is anyone going to enroll in the experian protection???
any suggestions on what we should/shouldn't do is much appreciated.



I am curious to hear what other people's decision is about whether or not to sign up for the free Experian ProtectMyID Elite service arranged by MIE. Our decision whether or not to sign up will be based upon:
1. What we learn about the extent of the breach,
2. Limited coverage: as explained in the above blog post,
3. As you know, a CREDIT monitoring service does little to protect your MEDICAL records, and
4. What we learn about HOW medical records are shared between companies.

We already have Security Freezes on our 3 major credit reports from prior data breaches. If you don't know what a Security Freeze is, there are plenty of resources in this blog. You can start reading here:




Thank you! I got such a letter too and I am searching for the same answers. I am very interested in finding out what others are going to do with Experian's ProtectMyID: what shall we be aware of and what to check.
Thank you!


I would like to file a HIPPA complaint. What shall I state there? Any advice how to make it more effective?


I got my July 17 notice yesterday also. I tried calling the hotline and explained to them that I've never done business with Concentra, and they basically said they can't give much info about how MIE obtained the medical records. The person I spoke to tried to downplay the breach by saying this letter and the offer for ProtectMyID was precautionary.

I have a feeling that this breach is probably larger than they make it seem, and yes there is probably much more to the story than what we're being told.


I have just contacted this line two. I requested the list of the companies who used the services of Concentra. Plus I requested any information that will help me to find their report with the officials (FBI) - number of the report, date, etc. They said they will "escalate" these questions to the supervisor, who is supposed to call me back I think within 48 hours. It was really difficult to talk to them as there was really heavy noise in the background and the person did not want to be very articulate as well.


For people MIE claimed Concentra was the source of your data:
Like you, my wife and i are very concerned. Stay tuned. I hope to have more about this soon.

Thanks for sharing your comments and for investigating with MIE. Please share whatever you learn. As I mentioned in my blog post, MIE subcontracted the hotline operation to another company, so what they tell us is very limited. Keep pushing for answers! I will do the same.


Lee Rottinghaus

I live in Fort Wayne, Indiana, where MIE is headquartered. I have sent emails to the author of the breach letter (Eric Jones) and asked for specific information about my health care information. No response thus far, which is no surprise. I did contact the local newspaper, The Journal Gazette and they did interview me and then sent a photographer to my home. The story will appear in the Sunday, August 2nd issue of the Journal Gazette. The reporter from the Journal Gazette was trying to get a comment from Eric Jones. Am very interested in any commentary from Eric Jones. I agree with your interpretation--MIE is more interested in avoiding liability than communicating with those affected.

After 3 attempts I did reach the MIE "hotline". However, the representative was not able to answer my questions. She did offer to escalate the call to a supervisor, but I will not receive a call back for approximately 48 hours.

I did attempt to register with Experian, but could not. I called the help line but the hold time was so lengthy I was not even placed on hold. The recording suggested that I try back later because call-volume was so high. So, I still do not have answers about my compromised health care information.


Thank you for providing direction and edification. I attempted to enroll as per directions in letter I rec'd, but to no avail. Now I don't even know if I want to bother...Looks like I'm going to have to go through the joy of calling for info (as to why MIE has my info)---good luck to all of us, right?!! Thank you again for your insights and information, G.


Lee and Dana:

Thanks for sharing your comments with your experiences. It is sad and troubling to hear that you were unable to register for the Experian service. I look forward to reading the Sunday, August 2 article in the Journal Gazette.

My informal list of states with consumers affected by the MIE breach: California, Colorado, Idaho, Indiana, Maryland, Massachusetts, New Hampshire, Texas, and the District of Columbia. Maybe we'll hear more comments from people in these or other states.


Philip Duclos

Got the letter from MIE today and my spouse did too. No, we have done no business with any of the listed providers nor with Concentra. Called the "hot line" and spoke with Bonnie. Bonnie got the job two days ago and had no useful information. I asked to be notified about who had contracted with MIE to host my personal health information (PHI) and perhaps Bonnie's supervisor will call me back. Yeah, right.
Looked up MIE on the Indiana Secretary of State website. Eric Jones is listed as Secretary. MIE stands for Medical Informatics Engineering. The practice of Engineering is regulated in Indiana and you must be a Professional Engineer (PE) to practice. Interestingly enough there is an "Eric Steven Jones" licensed as an engineering intern in Indiana. An engineering intern may only practice under the supervision of a PE. And Indiana has a pretty strict definition of "offering the services of engineering" with an exemption for "manufactured products". Does hosting of a website/database containing PHI qualify as a manufactured product or is it a service? We will find out because I filed a complaint with the Indiana Attorney General's office that 1. MIE was practicing without a license and 2. Eric Steven Jones was practicing without a PE license when he only has a IET license.
Full disclosure - I am a PE
The purpose of licensure is to protect the health and safety of the public. Has the health or safety of the public been adversely affected by this breach of data by MIE?


This is my second breach this year and once again they offer limited amount of protection.
As you stated why only 1 credit agency and not all. However, my biggest qualms is that some of the data breached will never change, so what good does 2 year do when my SSN/Birthday never change in my lifetime.

Companies that deal with identity information need to be able to protect that data or not work in that kind of environment. I know the HIIPAA rules from the government and am also involved in IT. Therefore, I personally knows what involved with this security but am also aware of the risks.

Companies need to be able to protect my data, and have a budget for it in case this happens.

How can we a bill in place to get this done?
Or how can I get a class action lawsuit going for lifetime protection?


I also received a letter dated July 17,2015. This letter lists the name of the provider I have used in Arkansas who uses NoMoreClipboard. The list of affected data includes address, phone, email, username, password, birth date, and security question. I found this site while researching whether it was a scam and whether I should pursue the offer of Experian's ProtectMyID Elite.
My provider does have a note on their home page alerting one to the cyber attack. I am quite sure that I have provided more information on that site than is listed above including insurance and health records, although, of course, I know as little as everyone else on what happened and how much was included in this attack.
A question-does the information you write down on the clipboard at the doctor go into the same system? Does it make any difference whether I write it down or use my computer if it's all going into the same retrieval system?


It's a mess, that's for sure! This is my 2nd breach as well--Home Depot the other. I haven't been to a doctor in years (Nevada), let alone any on that wonderfully inclusive list (thanks so very much) of medical places in IN, MI, et al. I doubt I'm going to sign on to Experian cuz what good does "monitoring" do really...I mean, if they were about circumventing possible issues, ok. I like that class action lawsuit idea, but it'd probably take a lifetime to get any kind of result. Gosh, I sound so negative and jaded and I'm not much that way in life; it's just that this security stuff is wearing, frustrating, and a bit nerve-wracking insofar as 'what next'. I'm all for hearing any advice you all have to offer because I'm not savvy with stuff like this at all!


Alabama can be added to the list of states.

Elizabeth Baugh

My husband and I both received the letter - we are in TN - can't figure what our connection is to Concentra?? Trying to figure out if this Experian step is worth it.... Really tired of all these breaches....

Frustrated in WY

I received the same letter. Called the hotline in the letter, waited almost an hour to be connected to a representative. The letter stated I could obtain the identity of the affected healthcare provider. The representative told me they had absolutely no information on the identity of the healthcare provider. I waited on hold for almost an hour to get absolutely NO information that the letter informed me I could obtain. Very frustrating.

Bart Kolodziejczak

A friend of mine in FL got the letter a couple of days ago and I got it yesterday in AZ. My thought is this feels scammy, like some way to generate business for Experian. After two years, will the Experian coverage just stop, or will they just start billing me and I would have to contact them to get rid of it? I plan to toss this letter and just watch my finances on my own with the protections I already have in place.


I contacted my local Concentra which I had visited a few years back, their administrator confirmed that they received a data breach email from MIE and gave me her contact # for them. I spoke to a representative today and he assured me for my name, birthdate, phone and address were leaked (but not my social security number). I'm keeping the letter in case anyone tries to steal my identity down the road, but the reviews for Experian ProtectMyID are not good. I'll keep checking my insurance claims now like I check my credit cards and banking activity. This is such a huge inconvenience. Makes me want to pay cash for everything and skip any service that requires relinquishing personal information. Pain in the ...



For those who want to learn more about HIPAA, what information is protected, and your rights, I found this page a good place to start reading:


And, you may find this helpful:

It seems that the information compromised in the MIE breach varies by person. Some people had more info exposed than others. So, any HIPAA complaint you submit will vary given your situation. See the breach notice you received from MIE and use the data elements listed in it with your complaint submission.



Update - just found out that we got the letter because my husband is an employee of HP and it was through their benefits dept using Concentra.



Thanks for sharing. Your situation is different from my wife's because you have a clear, valid connection to Concentra via health care services through your husband's employer. My wife and I do not have such a connection to Concentra. We are trying to find out how Concentra got her information.

What makes the whole thing tricky is that the amount of information compromised by the MIE breach seems to vary by person. You may (or may not) have had a lot more information compromised than my wife. Your breach notice from MIE should list the data elements compromised, and if the elements apply to one or more persons (e.g., your husband, you, children). I do not know your particulars, nor if MIE offered to you the same Experian credit monitoring services that it offered to my wife.

If you can share more, that would be great. I am curious to hear, but don't break any confidentiality. And, I think that other breach victims are curious, too.



Sure - As for what was breached, my letter says SSN, Address, DOB; my husband's letter says SSN, Address, DOB, & Email address.

Yes, they offered us the same protection service thru Experian that others have mentioned above.

The Email from HR explained "HP provided eligibility data to Concentra so that employees and spouses would be able to participate in the screening process and earn wellness incentive credits. The data was used by Concentra solely for member identification purposes." I do not believe they are using Concentra any longer. They recommend you sign up for the credit monitoring, and finish with "For more information regarding the specifics of the security breach and the services MIE has put in place, please visit https://www.mieweb.com/notice/ or call 1-866-328-1987."

Chanson de Roland

This thing that this latest data breach brings home for me and, I think, for us all is just how valuable our personal information is and how, even our Protected Health Information (PHI), is collected, traded, and otherwise used for others' profits without any meaningful consent from each of us. Indeed, users' personal information is the modern Internet's currency, which is the source nearly every Internet firms' revenues and profits, but especially of those who offer services and goods to us without charging a price in money for those goods and services. There is an old saying from earlier days of the Internet that captures this well: "If you're not paying for something, you're not the customer; you're the product being sold."

So we have all been reduced to being mere chattels. And we are so reduced because our personal information, the information that we author by and through our actions, belongs to everyone except us. And since we are our information and the acts that create it, it follows that, our information not being ours but belonging to others, we, a fortiori, are just others' property. And being nothing more than property, our rights, the right to privacy, our dignity, etc., must be subordinate and subservient to the true owners', Google, Facebook, MIE, and their ilk's, rights and interests.

So get use to being sold on the Internet and its modalities, and get use to nefarious people breaking into your owners' computers to steal you, i.e., your personal information, so that they can sell or otherwise exploit you through fraud, extortion, or by some other nefarious means.

How did this happen? And when did we cease to own the personal information that is such an essential part of who we are and become another's property, having only those limited rights and remedies that government deigns to grant us, rather than stronger, fuller, and complete constitutional rights as the owners of our personal information?


I am in Kentucky and also received the 17 July security breach letter offering 2 years free credit monitoring by Experian's ProtectMyID Elite. This letter states information that was compromised but does not state in any way what facility or any association that it may have come from. Today is Saturday; so I will have to call on Monday for more info. Good luck everyone.


We received the same letter from MIE and our problem is that we both have the same 1st name and were confused as to who the letter is to since it only has 1st and last name on it and no other identifying items. But I did work for HP/Compaq for 19 years, and quit 2 years ago this past July. So if the letter is to me I guess it doesn't matter if HP still uses Concentra or not since they still have our info on file. Personally I believe not being able to use your SSN for anything besides your job reporting your earned income to IRS and SSA would go a long way in helping prevent use of your info obtained in data breaches.

J Whiley

My mother received the same letter..Wichita, KS and my first look at the letter it appears to be a scam. The letter gives a scare tactic then wants to offer "free" two year protection by signing up with ProtectMyID...who knows this Eric Jones may be gettng a bonus everytime someone signs up. Remember nothing is free. I will continue to reserch.
Thanks...really appreciate everyone's feedback.



You may find the information in Monday's blog post helpful:

Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian

As I learn more, I will share it in blog posts.



I received the letter maybe a week or so ago -- it's been sitting in a pile of mail that I just got around to opening this morning. I live in TN and have never dealt with anyone at Concentra -- I've never received a bill from a Concentra, used an urgent care under that name, been drug tested by one of their facilities, etc. You made mention above in your post about speaking to someone at "Epic" and I do know that Epic is now the online medical records provider that one of our large local hospitals has gone to so I'm wondering if this is the connection for me. Supposedly just my address, phone and birth date was leaked. No wonder I can't get the hell off any do not call lists. What a joke of a country we live in. I don't think the ProtectMyID is a scam -- it's just one more lame attempt at covering someone's you know what.


I live in Ohio; add that to the list of states affected. I and several family members received the MIE letters. I receive medical services in Fort Wayne, IN, home of MIE. Several of my docs and health care providers are on the breach list. Also, FW is home to the Journal-Gazette newspaper; article previously mentioned. I suspect that some of my family members' info was compromised, because I had added them to MY emergency contact lists. If I had not added them, then they would not be able to obtain ANY info about my medical condiditon.
I am outraged at MIE. It is my understanding that it is not all that difficult to have security measures in place on computer systems right from the get-go. After reviewing MIE's own web site, I see that they wholeheartedly brag about their credentials what a wonderful business they have built. No where did they mention that their customer's information security was a priority, or how they were managing that.
Although those who actually steal from others (i.e., identity theives) should be punished, I also believe that the MIE execs should be held accountable. The MIE letter states, "We take the security...very seriously...and apologize for the inconvenience." Are you kidding me? How is "taking seriously" and "apologizing" helping me and the 5 million others?!? Note that only 1.5 million are Hoosiers; the other nearly 4 million are from other states. If MIE is truly sorry, they will make lifetime restitution to those of us whose personal information has been compromised AND cover the lifetime expenses of those whose identities are actually stolen. I believe that each and every individual who received the MIE letter should, minimally, have a LIFETIME of the BEST IDENTITY THEFT PROTECTION paid for in full by MIE. None of this 2-year nonsense. Theives can be quite patient. Two years isn't all that long. And call me skeptical--but, I've dealt with trying to stop credit card payments before--they will keep withdrawing the money from your account; it is extremely difficult to stop after the "free trial" period.
Although, according to the Journal Gazette, a lawyer from Indianapolis is currently filing a 5 million dollar suit against MIE, how will that help Hoosiers and how will it help the non-Hoosiers? I would like to hear from the lawyer for his take on all of this. I will continue to follow others' reactions to this issue. Thanks.


Misty, Tracey, and J Whiley: thanks for sharing!

Irma: about your question of what to put in a HIPAA complaint, I have not forgotten you. I am still researching answers. More to come. Please hang in there.

Kim: just like you, my wife and I never used Concentra urgent care services. That's why I contacted them to learn from Concentra exactly how they acquired my wife's info. Hopefully, I will get some answers soon. Will share what I learn.

Bobbie: I understand how you feel. We feel much the same way. If you read HIPAA laws, they seem tilted towards employers sharing information with health care providers. The general lack of notice and consent are troublesome.




This is a good article to read about the different providers associated with the breach:






Plus, I had issues with Experian Protect My ID as well but switched to a computer. The signon should be the email you used in step#1. I only found this out by switching to signing on by computer and it auto populated that field for me.

Hope this helps some :)

From what I can tell the information stolen can be dated back to 1997.


Hello, My parents received the same letter. I let them know to check their credit cards and checking accounts and then keep an eye out and keep the letter. I was going to have them sign up for the experian but from what is listed above no one is doing it. Any advice suggestions? I feel terrible and hope this doesn't affect anyone and my parents for that matter.

R e

My wife works at HP but we have never used HP's health benefits. Now my information is compromised !!! Why would they share our data with Concentra who apparently shared it with MIE when we don't even use these benefits. . And why is there never any liability for these Breaches? This will continue to happen until there are severe financial consequences for all the companies that are careless.

Mike P

Add Georgia to the list. I live here for over 28 years. I also worked at DEC/Compaq/HP since 1976. HIPAA sounds great in concept and on paper, but seldom (if ever) are enforcement actions taken with real teeth. A universal class action suit with federal investigation (FBI) should be aggressively pursued. There's just too many cracks/gaps in current revelations. Still waiting for a clear consensus on joining the Experian monitoring service. There doesn't appear to be a monitoring service for health (non-credit) clearinghouse.
Mike P


So, here is the question should you do the Experian free trial for 2 years, You have until October to sign up? Thoughts anyone?

Brad Hancock

B. here from Texas. Got the letter myself last week. What is really strange about the whole affair is that at least 90% of my coworkers also received the letter from MIE (not No More Clipboard). I work at a nuclear power plant. We have direct employees and contract employees here on site. Each contractor has their own health plans run completely independent of ours, yet many of the contracted employees also received these notices. There is one thing that we all have in common - continuous random drug testing & initial hire drug screening. I wonder if the laboratory we use (Quest Diagnostics) was a silent partner of this data breach? I am suspicious of that one common tie since if it was a breach through our corporate insurance policies, wouldn't my wife also have received a notice? The few cases where a spouse or dependent also received a notice the only common tie was through routine testing for an existing medical condition - and they used Quest Diagnostics. I have never used a Concentra urgent care clinic, nor have I ever submitted data to them for any type of medical benefit screenings either.

Like others, I called the information hot line and got very little useful information. I did sign up for the credit monitoring. It was uneventful and actually went pretty smoothly. I used a desktop from my home to sign up, after verifying that I had a secure connection. Of course that could have been spoofed to, I know.

Like others have posted, I too think that there is a lot of information that is being withheld at this time - for what reason I have no idea. Could it be that the very low-key dissemination of the magnitude of this breach was designed to not cast doubts upon the EHR mandate of the Affordable Care Act?


Sorry to hear you were affected. You raise a good question. This document (Adobe PDF format) suggests a business relationship between Medical Informatics Engineering (MIE) and Quest Diagnostics:

Scroll down to page 11. As you can see in the link, this document resides at the Quest Diagnostics site. I found it in 5 minutes with a Google.com search. So, you might call Quest Diagnostic's customer service department and demand some explanations about: a) their business relationship(s) with MIE; b) what data they share with MIE; c) and that you don't consent to the data sharing, since MIE has shown it can't protect it. You might also call MIE and ask them why Quest Diagnostics was not listed in their announced list of affected vendors.

This suggests that the breach is broader than we all thought.



Jessica: thanks for providing the link to the Help Net Security article. The article mentioned 5.5 million affected consumers, which seems too high. Why? The U.S. Department of Health & Human Services listed today 3.9 million consumers affected by the breach.

Mike P, Daniella, Bobbie, and R e: thanks for sharing your experiences. As Bobbie wrote, 2 years isn't that long. I agree that thieves are craft, persistent, and patient. Whatever you decide to do, you'll have to take precautions for longer than 2 years. My wife and I have credit freezes on our credit reports. That prevents financial fraud, but not medical fraud.

Everyone: I hope to have more information in another blog post soon.



Texas residents also affected. Rec'd letter that my SSAN,name, etc. were stolen. Be aware that if you sign up for the free two years of protection, you are agreeing that you cannot participate in any class action suit, even after cancellation of policy. Individual arbitration only option. Also, the agreement applies to many entities that are not named (referred to as subsidiaries, parent entities, affiliates, etc...)

Many facilities download PHI from regional and national databases (HIEs) or hospital systems. That might explain why so many don't know how their information was acquired. HIEs are not a good thing - too fraught with danger for the consumer until better security and breach impact responsiblity laws are in place.

Thanks for the information. Look forward to follow up.

Marnie C. Lambert

I am in Ohio and I received one of the July 17th letters too, as did a friend of mine. We cannot figure out what medical provider we have in common that may have used a product or service of MIE and, like others on here,"Concentra" is referenced but is a company with which I am not familiar. It hardly seems right that victims should have to give up anything in order to receive the monitoring/credit protection that MIE itself must think we need due the data breach at their company. If MIE is going to provide supposed protection to victims, that protection should not be conditioned on the victims accepting the protection giving up their right to file a lawsuit (class action or otherwise) against MIE for any damages they may suffer. Something about that approach by MIE just leaves a bad taste in my mouth.


Pam and Marni:

Thanks for sharing your comments and experiences. I agree, it is frustrating. Companies seem to easily buy and sell consumers' medical information without consumers' consent. Since consumers can lock down our credit reports, it seems logical that consumers should be also be able to lock down their medical records. The latter is something we all should demand of our elected officials.

About the binding arbitration clause in the credit monitoring agreement, I checked the Terms and Conditions page for ProtectMyID (http://www.protectmyid.com/terms/ ). It read:

"This ProtectMyID product ("ProtectMyID") Membership Agreement ("Agreement") is between you and ConsumerInfo.com, Inc. ("CIC" "us" "our" or "we") and explains the terms and conditions under which you may use the ProtectMyID.com ("Website") and the ProtectMyID product, including without limitation, any paid product upgrade features, where applicable, such as ChildSecure and RestoreMyID ("Product")... WE EACH AGREE TO RESOLVE THOSE DISPUTES THROUGH BINDING ARBITRATION OR SMALL CLAIMS COURT INSTEAD OF IN COURTS OF GENERAL JURISDICTION TO THE FULLEST EXTENT PERMITTED BY LAW. ARBITRATION IS MORE INFORMAL THAN A LAWSUIT IN COURT. ARBITRATION USES A NEUTRAL ARBITRATOR INSTEAD OF A JUDGE OR JURY, ALLOWS FOR MORE LIMITED DISCOVERY THAN IN COURT, AND IS SUBJECT TO VERY LIMITED REVIEW BY COURTS. ARBITRATORS CAN AWARD THE SAME DAMAGES AND RELIEF THAT A COURT CAN AWARD. ANY ARBITRATION UNDER THIS AGREEMENT WILL TAKE PLACE ON AN INDIVIDUAL BASIS; CLASS ARBITRATIONS AND CLASS ACTIONS ARE NOT PERMITTED. CIC WILL PAY ALL COSTS OF ARBITRATION, NO MATTER WHO WINS, SO LONG AS YOUR CLAIM IS NOT FRIVOLOUS. HOWEVER, IN ARBITRATION, BOTH YOU AND CIC WILL BE ENTITLED TO RECOVER ATTORNEYS’ FEES FROM THE OTHER PARTY TO THE SAME EXTENT AS YOU WOULD BE IN COURT... For purposes of this arbitration provision, references to "CIC," "you," and "us" shall include our respective parent entities, subsidiaries, affiliates, agents, employees, predecessors in interest, successors and assigns, websites of the foregoing, as well as all authorized or unauthorized users or beneficiaries of services, products or information under this or prior Agreements between us. Notwithstanding the foregoing, either party may bring an individual action in small claims court..."

It seems that binding arbitration is between CIC and the ProtectMyID user, and does not include MIE. You are correct to be concerned as nobody wants to give up their legal rights against MIE. What gives you the impression that binding arbitration includes MIE?

Last, binding arbitration clauses are usually not consumer friendly. I explored the reasons why in this blog post:

10 Tips About How To Read Terms Of Use And Privacy Policies


Marnie C. Lambert

Thank you for that clarification George! It certainly does not sound like there are any "strings attached" to the free 2 year protection being offered by MIE so that is a big relief! I am not surprised that there is a class action waiver or mandatory arbitration clause in an agreement with a credit monitoring company. I am so frustrated with how many security breaches of private health and financial information there are these days! It makes you wonder if the healthcare industry and the financial industry are really spending the time and money they are supposed to be on keeping our sensitive personal information confidential. From what I have read, the cost of cybercrimes to Americans is staggering. Thanks for shining a light on these important issues!


Thank you for posting this George. My story is exactly the same as yours including the date on the letter, the claim that a company I've never heard of, Concentra, was the source. I have no idea exactly what data of mine was compromised or where that data came from. I'm dismayed to learn that companies have my personal data in their systems yet I have no idea how or why it got there... did I give permission for them to have it (buried somewhere in 50 page long terms of use)? I awoke this morning to an email alert from ProtectMyID and was extremely panicked until I finally determined (after waiting on hold with Experian for over an hour listening to horrible anxiety producing music) that it was a legitimate credit update. As the weeks and months go by the chances of our sensitive data being used for nefarious purposes increases. I believe we should have protection from ALL the credit monitoring companies, not just one. It should also extend out at least 5 years. We many be able to change our passwords and email addresses, but our names, SSN, birth dates don't change after the 2 year monitoring expires...


Thanks for sharing. I agree. It is frustrating. Infuriating, too. 2 years is not long enough. Not even close. The risk will be there for a long time.

I have had several conversations with Concentra about when, where, and how they acquired my wife's information. And, all of this assumes MIE's records are accurate. As I learn more, I will share it. Stay tuned.


Steve Schack

Thanks to everyone for the information on this site. I live in the state of Washington. I received the July 17 letter a couple of weeks ago and have been wondering about it's legitimacy. My letter only mentions NoMoreClipboard but contains no reference to MIE or Concentra. The letter states that the compromised data includes: Address, Email, UserName, Password, and Security Question. In order to activate the Experian ProtectMyID service I would need to enter additional information including my SSN. Somehow, providing more sensitive data to potentially limit the effects of a theft of less sensitive data doesn't seem like a prudent thing to do. For now I am going to pass on the Experian offer, but I will continue monitoring this site for new developments.


I just signed up on the protectmyid, and realized it might be a scam. What i can do to protect my id security now? Thanks in advance


Experian is a real company. And, it's ProtectMyID is a real service. So, I don't know what you mean when you use the word "scam." A lot of people use that word without knowing its legal meaning.

It sounds like you might be worried that you may not get the value you hoped. If you are truly concerned, then maybe get a consultation with a privacy attorney to help you review the ProtectMyID agreement. Or, maybe get an attorney to help you decide if the class action against MIE is for you. I do not know your situation.


Cindy Cole

Hello George,
I have been out of town and just opened my July 17 letter from MIE. The client they mention is RediMed. I have never heard of it before. I looked up RediMed, but did not recognize any of the providers they listed. Do I follow the same procedure and sign up with Experian. Should I contact my Credit Union? Thank you, Cindy



Thanks for sharing your experience. MIE did list RediMed on its above list of clients. You might contact RediMed and ask them to explain exactly when, how, and why they acquired your information, since the RediMed name is unfamiliar to you. I'd be interested in hearing RediMed's explanation, if they give one.

I cannot give you advice about whether or not to sign up for the free Experian credit monitoring service MIE arranged, since I do not know your specific situation. Free is often good. Of course, you should protect yourself. You have several options to do so. Of course, you should closely read the terms and conditions with the free Experian credit monitoring MIE has arranged for its breach victims. You may or may not find those terms agreeable. If there are portions of those terms you don't understand, then maybe get a consultation with an attorney.

Or, you may decide to do-it-yourself and place a Security Freeze on your credit reports. There are several blog posts in this blog about Security Freezes. Or, you may decided to use a competitive branded credit monitoring service, and pay for it. And, of course you should always inspect your bank account (and credit card) statements for any fraudulent entries.

You may be interested in filing a HIPAA complaint. Or. maybe you are interested in joining one of the class action lawsuits. There are several:

Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian

Good luck, and let us know what you decide.




My wife and I got some answers to our questions about how Concentra obtained her information. See this update:

FYI: Medical Informatics Engineering, Concentra, Employers, Data Sharing, & Privacy

Feel free to share this with others.



Obviously I don't check my mail frequently... just opened a similar notification. Add Michigan to your list.

I'm 25, and I have very little money and almost no knowledge about any of this mumbo jumbo. I certainly don't have a lawyer, and I could not afford one. I went to concentra ONCE a couple of years ago to make sure I didn't have strep.

From what I can tell, the general consensus is that Experian's offered service is not particularly helpful. I am not sure if I should even bother with it, and, given their reputation, I AM concerned that after the stated two years they will start charging me for services without proper notification.

Are we SOL? Stupid cyber-life!


Has anybody ever head back from HHS CRU after reporting a breach? I have filed two, not for this breach, but have never heard if they will even take my complaint.

The comments to this entry are closed.