Medical Informatics Engineering Updates Notice to Individuals of a Data Security Compromise

FORT WAYNE, Ind.--()--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified.

On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data.

We are continuing to take steps to remediate and enhance the security of our systems. Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset.

Information compromised

While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering’s network has been affected. The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information.

Notification

On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected NoMoreClipboard and Medical Informatics Engineering clients.

On July 17, 2015, we began mailing notice letters to affected individuals for whom we have a valid postal address through U.S. mail, and we expect those letters to be mailed on or before July 25, 2015. Information contained in the notice letter is available at www.mieweb.com and www.NoMoreClipboard.com. We have also disclosed this incident to certain state and federal regulators and to the consumer reporting agencies.

Identity protection services

As the investigations continue, and out of an abundance of caution, we are offering affected individuals access to two years of credit monitoring and identity protection services at no charge.

Fraud prevention tips

We suggest affected individuals remain vigilant and seek to protect against possible identity theft or other financial loss by regularly reviewing their financial account statements for suspicious activity. We also encourage affected individuals to notify their credit card companies, health care providers, and heath care insurers of this data security incident. Affected individuals may also review explanation of benefits statement(s) that they receive from their healthcare provider or health plan. If an affected individual sees any service that he/she believes he/she did not receive, the individual should contact his/her health care provider or health plan at the telephone number listed on the explanation of benefits statement(s). If an affected individual does not receive regular explanation of benefits statement(s), we suggest he/she contact his/her healthcare provider or health plan and ask that they send a copy after each visit the affected individual makes with his/her health care provider.

We also suggest that affected individuals carefully review their credit reports. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To obtain a free credit report, visit www.annualcreditreport.com or call, toll-free, (877) 322-8228.

At no charge, individuals can also have these credit bureaus place a "fraud alert" on their file that alerts creditors to take additional steps to verify the his/her identity prior to granting credit in his/her name. Please note, however, that because it tells creditors to follow certain procedures to protect an individual’s credit, it may also delay the ability to obtain credit while the agency verifies the individual’s identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on an individual’s file. If you wish to place a fraud alert, or you have questions regarding your credit report, you can contact any one of the following agencies: Equifax, Consumer Fraud Division, P.O. Box 740256, Atlanta, GA 30374, (800) 525-6285, www.equifax.com; Experian, Consumer Fraud Assistance, P.O. Box 9556, Allen, TX 75013, (888) 397-3742, www.experian.com; TransUnion, Consumer Relations & Fraud Victim Assistance, 1561 E. Orangethorpe Avenue, Fullerton, CA 92831, (800) 372-8391, www.transunion.com. Information regarding security freezes may also be obtained from these sources.

The Federal Trade Commission (FTC) encourages those who discover that their information has been misused to file a complaint with them. To file a complaint with the FTC, or to obtain additional information on identity theft and the steps that can be taken to avoid identity theft, the FTC can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft, (877) ID-THEFT (877-438-4338); TTY: (866) 653-4261. This notice has not been delayed because of law enforcement; however, instances of known or suspected identity theft should be reported to local law enforcement, your state Attorney General, and the FTC. State Attorneys General may also have advice on preventing identity theft. Individuals can also learn more about placing a fraud alert or security freeze on their credit files by contacting the FTC or state Attorney General. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, (919) 716-6400, www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, (888) 743-0023, www.oag.state.md.us. For Kentucky residents, the Attorney General can be contacted at 700 Capitol Avenue, Suite 118, Frankfort, Kentucky 40601-3449, 502-696-5389, www.ag.ky.gov. For Indiana residents, the Attorney General can be contacted at 302 W. Washington Street, Indianapolis, Indiana 46204, (317) 232-6201, www.in.gov.

Security Freeze

Under MA and WV law, affected individuals have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it. Under MA and WV law, you may place a security freeze on your credit reports. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without your written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.

If you have been a victim of identity theft, and provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 in MA and $5.30 in WV each to place, temporarily lift, or permanently remove a security freeze. To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies. In order to request a security freeze, you will need to provide the following information:

          1.     Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
2. Social Security number;
3. Date of birth;
4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
5. Proof of current address, such as a current utility bill or telephone bill;
6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.);
7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft;
8. If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash through the mail.
 

The credit reporting agencies have three (3) business days after receiving a request to place a security freeze on a credit file report. The credit bureaus must also send written confirmation to the individual within five (5) business days and provide individual with a unique personal identification number (PIN) or password, or both, that can be used to authorize the removal or lifting of the security freeze. To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to remove the security freeze.

Toll-free hotline

We have established a confidential, toll free hotline to assist affected individuals with questions regarding the incident, their affected personal and protected health information, their affected healthcare provider(s), and the identity monitoring and protection services we are making available. The hotline can be reached at (866) 328-1987, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, except for holidays. If you would like to confirm whether you are affected by this incident, you may call our hotline. Updates regarding this incident, our investigation and steps individuals may take to protect themselves from identity theft and fraud will be available on www.nomoreclipboard.com and www.mieweb.com and through our toll free hotline. Questions regarding the incident should not be directed to your healthcare provider(s) as they may not be able to answer your questions.

Affected entities

Physician practices, hospitals, and other organizations work with NoMoreClipboard to offer patient portals and personal health records which enable consumers to access and manage health information online. Individuals who use patient portals or personal health records offered by the following entities may be affected by this cyber attack. Individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected organizations include:

        Advanced Cardiac Care               Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center
Advanced Foot Specialists (including Neurology, Physical Medicine and Neurosurgery)
All About Childrens Pediatric Partners, PC Altagracia Medical Center
Allen County Dept of Health Anderson Family Medicine
Arkansas Otolaryngology, P.A. Grace Community Health Center, Inc.
Auburn Cardiology Associates Grisell Memorial Hospital
Basedow Family Clinic Inc. Harding Pediatrics LLP
Bastrop Medical Clinic Harlan County Health System
Batish Family Medicine Health Access Program
Beaver Medical Heart Institute of Venice
Boston Podiatry Services PC Henderson Minor Outpatient Medicine
Brian Griner M.D. Henry County Hospital myhealth portal
Brightstarts Pediatrics Highgate Clinic
Burnsville Medical Center Hobart Family Medical Clinic
Capital Rehabilitation Howard Stierwalt, M.D.
Cardiovascular Consultants of Kansas Howard University Hospital
Carl Gustafson OD Hudson Essex Nephrology
Carolina Gastroenterology Huntington Medical Associates
Carolina Kidney & Hypertension Center Huntington Medical Group
Carolinas Psychiatric Associates Hutchinson Regional Medical Center
Center for Advanced Spinal Surgery Idaho Sports Medicine Institute
Chang Neurosurgery & Spine Care In Step Foot & Ankle Specialists
Cheyenne County Hospital Independence Rehabilitation Inc
Children's Clinic of Owasso, P.C. Indiana Endocrine Specialists
Clara A. Lennox MD Indiana Internal Medicine Consultants
Claude E. Younes M.D., Inc. Indiana Ohio Heart
CMMC Indiana Surgical Specialists
Coalville Health Center Indiana University
Cornerstone Medical and Wellness, LLC Indiana University Health Center
Cumberland Heart Indianapolis Gastroenterology and Hepatology
David A. Wassil, D.O. Internal Medicine Associates
David M Mayer MD IU - Northwest
Dr. Alicia Guice Jackson Neurolosurgery Clinic
Dr. Anne Hughes James E. Hunt, MD
Dr. Buchele Jasmine K. Leong MD
Dr. Clark Jewell County Hospital
Dr. Harvey John Hiestand, M.D.
Dr. John Labban Jonathan F. Diller, M.D.
Dr. John Suen Jubilee Community Health
Dr. Puleo Kardous Primary Care
Dr. Rajesh Rana Keith A. Harvey, M.D.
Dr. Rustagi Kenneth Cesa DPM
Dr. Schermerhorn Kings Clinic and Urgent Care
Dr. Shah Kiowa County Memorial Hospital
Ear, Nose & Throat Associates, P.C. Kristin Egan MD
East Carolina Medical Associates Lakeshore Family Practice
Eastern Washington Dermatology Associates Lane County Hospital
Ellinwood District Hospital Logan County Hospital
Family Care Chiropractic Center Margaret Mary Health
Family Practice Associates of Macomb Masonboro Urgent Care
Family Practice of Macomb McDonough Medical Group Psychiatry
Floyd Trillis Jr., M.D. Medical Care, Inc.
Fredonia Regional Hospital Medical Center of East Houston
Fremont Family Medicine Medicine Lodge Memorial Hospital
Generations Primary Care MedPartners
MHP Cardiology Rolando P. Oro MD, PA
Michael Mann, MD, PC Ronald Chochinov
Michelle Barnes Marshall, P.C. Sabetha Community Hospital
Michiana Gastroenterology, Inc. Santa Cruz Pulmonary Medical Group
Minneola District Hospital Santone Chiropractic
Mora Surgical Clinic Sarasota Cardiovascular Group
Moundridge Mercy Hospital Inc Sarasota Center for Family Health Wellness
myhealthnow Sarasota Heart Center
Nancy L. Carteron M.D. Satanta District Hospital
Naples Heart Rhythm Specialists Saul & Cutarelli MD's Inc.
Nate Delisi DO Shaver Medical Clinic, P. A.
Neighborhood Health Clinic Skiatook Osteopathic Clinic Inc.
Neosho Memorial Regional Medical Center Sleep Centers of Fort Wayne
Neuro Spine Pain Surgery Center Smith County Hospital
Norman G. McKoy, M.D. & Ass., P.A. Smith Family Chiropractic
North Corridor Internal Medicine Somers Eye Center
Nova Pain Management South Forsyth Family Medicine & Pediatrics
Novapex Franklin Southeast Rehabilitation Associates PC
Oakland Family Practice Southgate Radiology
Oakland Medical Group Southwest Internal Medicine & Pain Management
Ohio Physical Medicine & Rehabilitation Inc. Southwest Orthopaedic Surgery Specialists,PLC
On Track For Life Stafford County Hospital
Ottawa County Health Center Stephen Helvie MD
Pareshchandra C. Patel MD Stephen T. Child MD
Parkview Health System, Inc. d/b/a Family Susan A. Kubica MD
Practice Associates of Huntington Texas Childrens Hospital
Parkview Health System, Inc. d/b/a Fort Wayne The Children's Health Place
Cardiology The Heart & Vascular Specialists
Parrott Medical Clinic The Heart and Vascular Center of Sarasota
Partners In Family Care The Imaging Center
Personalized Health Care Of Tucson The Johnson Center for Pelvic Health
Phillips County Hospital The Medical Foundation, My Lab Results Portal
Physical Medicine Consultants Thompson Family Chiropractic
Physicians of North Worchester County Trego County Hospital
Precision Weight Loss Center Union Square Dermatology
Primary & Alternative Medical Center Volunteers in Medicine
Prince George's County Health Department Wells Chiropractic Clinic
Rebecca J. Kurth M.D. Wichita County Health Center
Relief Center William Klope MD
Republic County Hospital Wyoming Total Health Record Patient Portal
Ricardo S. Lemos MD Yovanni Tineo M.D.
Richard A. Stone M.D. Zack Hall M.D.
Richard Ganz MD River Primary Care
 

In addition to its previously identified clients, including Franciscan St. Francis Health Indianapolis, the following additional healthcare providers were affected by the Medical Informatics Engineering cyber attack. Patients of these healthcare providers may be affected, and individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected healthcare providers include:

RediMed
Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center (including Neurology, Physical Medicine and Neurosurgery)
Fort Wayne Radiology Association, LLC including d/b/a Nuvena Vein Center and Dexa Diagnostics
Open View MRI, LLC
Breast Diagnostic Center, LLC
P.E.T. Imaging Services, LLC
MRI Center -Fort Wayne Radiology, Inc. (f/k/a Advanced Imaging Systems, Inc.)

Individuals who received services from Fort Wayne Radiology Association, Open View, Breast Diagnostic Center, PET Imaging or MRI Center during the period of time from January 1, 1997 to May 26, 2015 may be affected. The database relating to these healthcare providers was accessed on May 26, 2015. Individuals may also visit the providers’ websites, which may be accessed at www.fwradiology.com , for information on this incident. Affected individuals may include, along with potential others, individuals who received radiology services during this time at any of the organizations identified below:

        Accustat Medical Lab, Inc.           Indianapolis, IN
Allergy & Asthma Center Fort Wayne, IN
Associated Physicians & Surgeons Clinic, LLC Terre Haute, IN
Ball Memorial Hospital Muncie, IN
Bedford Regional Medical Center Bedford, IN
Cameron Memorial Community Hospital Angola, IN
Central Indiana Orthopedics, PC Muncie, IN
Community Memorial Hospital Hicksville, OH
Ear, Nose & Throat Associates Fort Wayne, IN
Family Medicine Associates, Jerry Sell, M.D. Rockford, OH
First Care Family Physicians Fort Wayne, IN
Fort Wayne Medical Oncology & Hematology Fort Wayne, IN
Gary Pitts, M.D. Warsaw, IN
Indiana Urgent Care Centers, LLC Indianapolis, IN
Indiana University Health Center Bloomington, IN
Jasper County Hospital Rensselaer, IN
Manchester Family Physicians North Manchester, IN
MedCorp Toledo, OH
Meridian Health Group Carmel, IN
Nationwide Mobile Imaging Fort Wayne, IN
Neighborhood Health Clinic Fort Wayne, IN
Orthopaedics Northeast Fort Wayne, IN
Parkview Regional Medical Center Fort Wayne, IN
Parkview Hospital Fort Wayne, IN
Parkview Ortho Hospital Fort Wayne, IN
Parkview Heart Institute Fort Wayne, IN
Parkview Women & Children’s Hospital Fort Wayne, IN
Parkview Noble Hospital Kendallville, IN
Parkview Huntington Hospital Huntington, IN
Parkview Whitley Hospital Columbia City, IN
Parkview LaGrange Hospital LaGrange, IN
Parkview Physicians Group
Parkview Occupational Health Centers
Paulding County Hospital Paulding, OH
Prompt Care Express Coldwater, MI; Sturgis, MI
Public Safety Medical Services Indianapolis, IN
Purdue University Health Center W. Lafayette, IN
Southwestern Medical Clinics Berrien Springs, MI
Tri-State Medical Imaging Angola, Indiana
Union Associated Physicians Clinic Terre Haute, IN
U.S. Healthworks Medical Group of Indiana Elkhart, IN
Van Wert County Hospital Van Wert, OH
Wabash County Hospital Wabash, IN
Wabash Family Care Wabash, IN
 

We take the security of health information very seriously and understand that such incidents cause real concern. We apologize sincerely and thank our customers for their continued loyalty and patience as we work through this challenge.

Contacts

Media:
Medical Informatics Engineering
Eric Jones, 260-459-6270
Co-Founder and COO
eric@mieweb.com

Contacts

Media:
Medical Informatics Engineering
Eric Jones, 260-459-6270
Co-Founder and COO
eric@mieweb.com