FORT WAYNE, Ind.--(BUSINESS WIRE)--On behalf of itself, its NoMoreClipboard subsidiary and its affected clients, Medical Informatics Engineering is writing to provide updated notice of a data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record or a NoMoreClipboard personal health record or patient portal. We emphasize that the patients of only certain clients of Medical Informatics Engineering and NoMoreClipboard were affected by this compromise and those clients have all been notified.
On May 26, 2015, we discovered suspicious activity in one of our servers. We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data.
We are continuing to take steps to remediate and enhance the security of our systems. Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset.
Information compromised
While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering’s network has been affected. The affected data relating to individuals affiliated with affected Medical Informatics Engineering clients may include an individual’s name, telephone number, mailing address, username, hashed password, security question and answer, spousal information (name and potentially date of birth), email address, date of birth, Social Security number, lab results, health insurance policy information, diagnosis, disability code, doctor’s name, medical conditions, and child’s name and birth statistics. The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information.
Notification
On June 2, 2015, we began contacting and mailing notice letters disclosing this incident to affected NoMoreClipboard and Medical Informatics Engineering clients.
On July 17, 2015, we began mailing notice letters to affected individuals for whom we have a valid postal address through U.S. mail, and we expect those letters to be mailed on or before July 25, 2015. Information contained in the notice letter is available at www.mieweb.com and www.NoMoreClipboard.com. We have also disclosed this incident to certain state and federal regulators and to the consumer reporting agencies.
Identity protection services
As the investigations continue, and out of an abundance of caution, we are offering affected individuals access to two years of credit monitoring and identity protection services at no charge.
Fraud prevention tips
We suggest affected individuals remain vigilant and seek to protect against possible identity theft or other financial loss by regularly reviewing their financial account statements for suspicious activity. We also encourage affected individuals to notify their credit card companies, health care providers, and heath care insurers of this data security incident. Affected individuals may also review explanation of benefits statement(s) that they receive from their healthcare provider or health plan. If an affected individual sees any service that he/she believes he/she did not receive, the individual should contact his/her health care provider or health plan at the telephone number listed on the explanation of benefits statement(s). If an affected individual does not receive regular explanation of benefits statement(s), we suggest he/she contact his/her healthcare provider or health plan and ask that they send a copy after each visit the affected individual makes with his/her health care provider.
We also suggest that affected individuals carefully review their credit reports. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To obtain a free credit report, visit www.annualcreditreport.com or call, toll-free, (877) 322-8228.
At no charge, individuals can also have these credit bureaus place a "fraud alert" on their file that alerts creditors to take additional steps to verify the his/her identity prior to granting credit in his/her name. Please note, however, that because it tells creditors to follow certain procedures to protect an individual’s credit, it may also delay the ability to obtain credit while the agency verifies the individual’s identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on an individual’s file. If you wish to place a fraud alert, or you have questions regarding your credit report, you can contact any one of the following agencies: Equifax, Consumer Fraud Division, P.O. Box 740256, Atlanta, GA 30374, (800) 525-6285, www.equifax.com; Experian, Consumer Fraud Assistance, P.O. Box 9556, Allen, TX 75013, (888) 397-3742, www.experian.com; TransUnion, Consumer Relations & Fraud Victim Assistance, 1561 E. Orangethorpe Avenue, Fullerton, CA 92831, (800) 372-8391, www.transunion.com. Information regarding security freezes may also be obtained from these sources.
The Federal Trade Commission (FTC) encourages those who discover that their information has been misused to file a complaint with them. To file a complaint with the FTC, or to obtain additional information on identity theft and the steps that can be taken to avoid identity theft, the FTC can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft, (877) ID-THEFT (877-438-4338); TTY: (866) 653-4261. This notice has not been delayed because of law enforcement; however, instances of known or suspected identity theft should be reported to local law enforcement, your state Attorney General, and the FTC. State Attorneys General may also have advice on preventing identity theft. Individuals can also learn more about placing a fraud alert or security freeze on their credit files by contacting the FTC or state Attorney General. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, (919) 716-6400, www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, (888) 743-0023, www.oag.state.md.us. For Kentucky residents, the Attorney General can be contacted at 700 Capitol Avenue, Suite 118, Frankfort, Kentucky 40601-3449, 502-696-5389, www.ag.ky.gov. For Indiana residents, the Attorney General can be contacted at 302 W. Washington Street, Indianapolis, Indiana 46204, (317) 232-6201, www.in.gov.
Security Freeze
Under MA and WV law, affected individuals have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it. Under MA and WV law, you may place a security freeze on your credit reports. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without your written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.
If you have been a victim of identity theft, and provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $5.00 in MA and $5.30 in WV each to place, temporarily lift, or permanently remove a security freeze. To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies. In order to request a security freeze, you will need to provide the following information:
| 1. | Your full name (including middle initial as well as Jr., Sr., II, III, etc.); | |||||||
| 2. | Social Security number; | |||||||
| 3. | Date of birth; | |||||||
| 4. | If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years; | |||||||
| 5. | Proof of current address, such as a current utility bill or telephone bill; | |||||||
| 6. | A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.); | |||||||
| 7. | If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft; | |||||||
| 8. | If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash through the mail. | |||||||
The credit reporting agencies have three (3) business days after receiving a request to place a security freeze on a credit file report. The credit bureaus must also send written confirmation to the individual within five (5) business days and provide individual with a unique personal identification number (PIN) or password, or both, that can be used to authorize the removal or lifting of the security freeze. To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to remove the security freeze.
Toll-free hotline
We have established a confidential, toll free hotline to assist affected individuals with questions regarding the incident, their affected personal and protected health information, their affected healthcare provider(s), and the identity monitoring and protection services we are making available. The hotline can be reached at (866) 328-1987, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, except for holidays. If you would like to confirm whether you are affected by this incident, you may call our hotline. Updates regarding this incident, our investigation and steps individuals may take to protect themselves from identity theft and fraud will be available on www.nomoreclipboard.com and www.mieweb.com and through our toll free hotline. Questions regarding the incident should not be directed to your healthcare provider(s) as they may not be able to answer your questions.
Affected entities
Physician practices, hospitals, and other organizations work with NoMoreClipboard to offer patient portals and personal health records which enable consumers to access and manage health information online. Individuals who use patient portals or personal health records offered by the following entities may be affected by this cyber attack. Individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected organizations include:
| Advanced Cardiac Care | Allied Physicians, Inc. d/b/a Fort Wayne Neurological Center | |||||||||||
| Advanced Foot Specialists | (including Neurology, Physical Medicine and Neurosurgery) | |||||||||||
| All About Childrens Pediatric Partners, PC | Altagracia Medical Center | |||||||||||
| Allen County Dept of Health | Anderson Family Medicine | |||||||||||
| Arkansas Otolaryngology, P.A. | Grace Community Health Center, Inc. | |||||||||||
| Auburn Cardiology Associates | Grisell Memorial Hospital | |||||||||||
| Basedow Family Clinic Inc. | Harding Pediatrics LLP | |||||||||||
| Bastrop Medical Clinic | Harlan County Health System | |||||||||||
| Batish Family Medicine | Health Access Program | |||||||||||
| Beaver Medical | Heart Institute of Venice | |||||||||||
| Boston Podiatry Services PC | Henderson Minor Outpatient Medicine | |||||||||||
| Brian Griner M.D. | Henry County Hospital myhealth portal | |||||||||||
| Brightstarts Pediatrics | Highgate Clinic | |||||||||||
| Burnsville Medical Center | Hobart Family Medical Clinic | |||||||||||
| Capital Rehabilitation | Howard Stierwalt, M.D. | |||||||||||
| Cardiovascular Consultants of Kansas | Howard University Hospital | |||||||||||
| Carl Gustafson OD | Hudson Essex Nephrology | |||||||||||
| Carolina Gastroenterology | Huntington Medical Associates | |||||||||||
| Carolina Kidney & Hypertension Center | Huntington Medical Group | |||||||||||
| Carolinas Psychiatric Associates | Hutchinson Regional Medical Center | |||||||||||
| Center for Advanced Spinal Surgery | Idaho Sports Medicine Institute | |||||||||||
| Chang Neurosurgery & Spine Care | In Step Foot & Ankle Specialists | |||||||||||
| Cheyenne County Hospital | Independence Rehabilitation Inc | |||||||||||
| Children's Clinic of Owasso, P.C. | Indiana Endocrine Specialists | |||||||||||
| Clara A. Lennox MD | Indiana Internal Medicine Consultants | |||||||||||
| Claude E. Younes M.D., Inc. | Indiana Ohio Heart | |||||||||||
| CMMC | Indiana Surgical Specialists | |||||||||||
| Coalville Health Center | Indiana University | |||||||||||
| Cornerstone Medical and Wellness, LLC | Indiana University Health Center | |||||||||||
| Cumberland Heart | Indianapolis Gastroenterology and Hepatology | |||||||||||
| David A. Wassil, D.O. | Internal Medicine Associates | |||||||||||
| David M Mayer MD | IU - Northwest | |||||||||||
| Dr. Alicia Guice | Jackson Neurolosurgery Clinic | |||||||||||
| Dr. Anne Hughes | James E. Hunt, MD | |||||||||||
| Dr. Buchele | Jasmine K. Leong MD | |||||||||||
| Dr. Clark | Jewell County Hospital | |||||||||||
| Dr. Harvey | John Hiestand, M.D. | |||||||||||
| Dr. John Labban | Jonathan F. Diller, M.D. | |||||||||||
| Dr. John Suen | Jubilee Community Health | |||||||||||
| Dr. Puleo | Kardous Primary Care | |||||||||||
| Dr. Rajesh Rana | Keith A. Harvey, M.D. | |||||||||||
| Dr. Rustagi | Kenneth Cesa DPM | |||||||||||
| Dr. Schermerhorn | Kings Clinic and Urgent Care | |||||||||||
| Dr. Shah | Kiowa County Memorial Hospital | |||||||||||
| Ear, Nose & Throat Associates, P.C. | Kristin Egan MD | |||||||||||
| East Carolina Medical Associates | Lakeshore Family Practice | |||||||||||
| Eastern Washington Dermatology Associates | Lane County Hospital | |||||||||||
| Ellinwood District Hospital | Logan County Hospital | |||||||||||
| Family Care Chiropractic Center | Margaret Mary Health | |||||||||||
| Family Practice Associates of Macomb | Masonboro Urgent Care | |||||||||||
| Family Practice of Macomb | McDonough Medical Group Psychiatry | |||||||||||
| Floyd Trillis Jr., M.D. | Medical Care, Inc. | |||||||||||
| Fredonia Regional Hospital | Medical Center of East Houston | |||||||||||
| Fremont Family Medicine | Medicine Lodge Memorial Hospital | |||||||||||
| Generations Primary Care | MedPartners | |||||||||||
| MHP Cardiology | Rolando P. Oro MD, PA | |||||||||||
| Michael Mann, MD, PC | Ronald Chochinov | |||||||||||
| Michelle Barnes Marshall, P.C. | Sabetha Community Hospital | |||||||||||
| Michiana Gastroenterology, Inc. | Santa Cruz Pulmonary Medical Group | |||||||||||
| Minneola District Hospital | Santone Chiropractic | |||||||||||
| Mora Surgical Clinic | Sarasota Cardiovascular Group | |||||||||||
| Moundridge Mercy Hospital Inc | Sarasota Center for Family Health Wellness | |||||||||||
| myhealthnow | Sarasota Heart Center | |||||||||||
| Nancy L. Carteron M.D. | Satanta District Hospital | |||||||||||
| Naples Heart Rhythm Specialists | Saul & Cutarelli MD's Inc. | |||||||||||
| Nate Delisi DO | Shaver Medical Clinic, P. A. | |||||||||||
| Neighborhood Health Clinic | Skiatook Osteopathic Clinic Inc. | |||||||||||
| Neosho Memorial Regional Medical Center | Sleep Centers of Fort Wayne | |||||||||||
| Neuro Spine Pain Surgery Center | Smith County Hospital | |||||||||||
| Norman G. McKoy, M.D. & Ass., P.A. | Smith Family Chiropractic | |||||||||||
| North Corridor Internal Medicine | Somers Eye Center | |||||||||||
| Nova Pain Management | South Forsyth Family Medicine & Pediatrics | |||||||||||
| Novapex Franklin | Southeast Rehabilitation Associates PC | |||||||||||
| Oakland Family Practice | Southgate Radiology | |||||||||||
| Oakland Medical Group | Southwest Internal Medicine & Pain Management | |||||||||||
| Ohio Physical Medicine & Rehabilitation Inc. | Southwest Orthopaedic Surgery Specialists,PLC | |||||||||||
| On Track For Life | Stafford County Hospital | |||||||||||
| Ottawa County Health Center | Stephen Helvie MD | |||||||||||
| Pareshchandra C. Patel MD | Stephen T. Child MD | |||||||||||
| Parkview Health System, Inc. d/b/a Family | Susan A. Kubica MD | |||||||||||
| Practice Associates of Huntington | Texas Childrens Hospital | |||||||||||
| Parkview Health System, Inc. d/b/a Fort Wayne | The Children's Health Place | |||||||||||
| Cardiology | The Heart & Vascular Specialists | |||||||||||
| Parrott Medical Clinic | The Heart and Vascular Center of Sarasota | |||||||||||
| Partners In Family Care | The Imaging Center | |||||||||||
| Personalized Health Care Of Tucson | The Johnson Center for Pelvic Health | |||||||||||
| Phillips County Hospital | The Medical Foundation, My Lab Results Portal | |||||||||||
| Physical Medicine Consultants | Thompson Family Chiropractic | |||||||||||
| Physicians of North Worchester County | Trego County Hospital | |||||||||||
| Precision Weight Loss Center | Union Square Dermatology | |||||||||||
| Primary & Alternative Medical Center | Volunteers in Medicine | |||||||||||
| Prince George's County Health Department | Wells Chiropractic Clinic | |||||||||||
| Rebecca J. Kurth M.D. | Wichita County Health Center | |||||||||||
| Relief Center | William Klope MD | |||||||||||
| Republic County Hospital | Wyoming Total Health Record Patient Portal | |||||||||||
| Ricardo S. Lemos MD | Yovanni Tineo M.D. | |||||||||||
| Richard A. Stone M.D. | Zack Hall M.D. | |||||||||||
| Richard Ganz MD | River Primary Care | |||||||||||
In addition to its previously identified clients, including Franciscan St. Francis Health Indianapolis, the following additional healthcare providers were affected by the Medical Informatics Engineering cyber attack. Patients of these healthcare providers may be affected, and individual notice letters have been sent to affected individuals for whom we have a valid mailing address. Affected healthcare providers include:
RediMed
Allied Physicians, Inc. d/b/a Fort Wayne Neurological
Center (including Neurology, Physical Medicine and Neurosurgery)
Fort
Wayne Radiology Association, LLC including d/b/a Nuvena Vein Center and
Dexa Diagnostics
Open View MRI, LLC
Breast Diagnostic Center,
LLC
P.E.T. Imaging Services, LLC
MRI Center -Fort Wayne
Radiology, Inc. (f/k/a Advanced Imaging Systems, Inc.)
Individuals who received services from Fort Wayne Radiology Association, Open View, Breast Diagnostic Center, PET Imaging or MRI Center during the period of time from January 1, 1997 to May 26, 2015 may be affected. The database relating to these healthcare providers was accessed on May 26, 2015. Individuals may also visit the providers’ websites, which may be accessed at www.fwradiology.com , for information on this incident. Affected individuals may include, along with potential others, individuals who received radiology services during this time at any of the organizations identified below:
| Accustat Medical Lab, Inc. | Indianapolis, IN | |||||||||
| Allergy & Asthma Center | Fort Wayne, IN | |||||||||
| Associated Physicians & Surgeons Clinic, LLC | Terre Haute, IN | |||||||||
| Ball Memorial Hospital | Muncie, IN | |||||||||
| Bedford Regional Medical Center | Bedford, IN | |||||||||
| Cameron Memorial Community Hospital | Angola, IN | |||||||||
| Central Indiana Orthopedics, PC | Muncie, IN | |||||||||
| Community Memorial Hospital | Hicksville, OH | |||||||||
| Ear, Nose & Throat Associates | Fort Wayne, IN | |||||||||
| Family Medicine Associates, Jerry Sell, M.D. | Rockford, OH | |||||||||
| First Care Family Physicians | Fort Wayne, IN | |||||||||
| Fort Wayne Medical Oncology & Hematology | Fort Wayne, IN | |||||||||
| Gary Pitts, M.D. | Warsaw, IN | |||||||||
| Indiana Urgent Care Centers, LLC | Indianapolis, IN | |||||||||
| Indiana University Health Center | Bloomington, IN | |||||||||
| Jasper County Hospital | Rensselaer, IN | |||||||||
| Manchester Family Physicians | North Manchester, IN | |||||||||
| MedCorp | Toledo, OH | |||||||||
| Meridian Health Group | Carmel, IN | |||||||||
| Nationwide Mobile Imaging | Fort Wayne, IN | |||||||||
| Neighborhood Health Clinic | Fort Wayne, IN | |||||||||
| Orthopaedics Northeast | Fort Wayne, IN | |||||||||
| Parkview Regional Medical Center | Fort Wayne, IN | |||||||||
| Parkview Hospital | Fort Wayne, IN | |||||||||
| Parkview Ortho Hospital | Fort Wayne, IN | |||||||||
| Parkview Heart Institute | Fort Wayne, IN | |||||||||
| Parkview Women & Children’s Hospital | Fort Wayne, IN | |||||||||
| Parkview Noble Hospital | Kendallville, IN | |||||||||
| Parkview Huntington Hospital | Huntington, IN | |||||||||
| Parkview Whitley Hospital | Columbia City, IN | |||||||||
| Parkview LaGrange Hospital | LaGrange, IN | |||||||||
| Parkview Physicians Group | ||||||||||
| Parkview Occupational Health Centers | ||||||||||
| Paulding County Hospital | Paulding, OH | |||||||||
| Prompt Care Express | Coldwater, MI; Sturgis, MI | |||||||||
| Public Safety Medical Services | Indianapolis, IN | |||||||||
| Purdue University Health Center | W. Lafayette, IN | |||||||||
| Southwestern Medical Clinics | Berrien Springs, MI | |||||||||
| Tri-State Medical Imaging | Angola, Indiana | |||||||||
| Union Associated Physicians Clinic | Terre Haute, IN | |||||||||
| U.S. Healthworks Medical Group of Indiana | Elkhart, IN | |||||||||
| Van Wert County Hospital | Van Wert, OH | |||||||||
| Wabash County Hospital | Wabash, IN | |||||||||
| Wabash Family Care | Wabash, IN | |||||||||
We take the security of health information very seriously and understand that such incidents cause real concern. We apologize sincerely and thank our customers for their continued loyalty and patience as we work through this challenge.